[manjaro-security] [ASA-202506-6] python-django: content spoofing
Andrea Denisse
denisse at archlinux.org
Fri Jun 13 22:33:50 CEST 2025
Arch Linux Security Advisory ASA-202506-6
=========================================
Severity: Low
Date : 2025-06-12
CVE-ID : CVE-2025-48432
Package : python-django
Type : content spoofing
Remote : Yes
Link : https://security.archlinux.org/AVG-2894
Summary
=======
The package python-django before version 5.1.11-1 is vulnerable to
content spoofing.
Resolution
==========
Upgrade to 5.1.11-1.
# pacman -Syu "python-django>=5.1.11-1"
The problem has been fixed upstream in version 5.1.11.
Workaround
==========
None.
Description
===========
Internal HTTP response logging used request.path directly, allowing
control characters (e.g. newlines or ANSI escape sequences) to be
written unescaped into logs. This could enable log injection or
forgery, letting attackers manipulate log appearance or structure,
especially in logs processed by external systems or viewed in
terminals.
Impact
======
A remote attacker can manipulate log entries by sending crafted HTTP
requests with control characters in the path, potentially spoofing or
injecting content into server logs.
References
==========
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path
https://docs.djangoproject.com/en/dev/releases/5.1.11/
https://security.archlinux.org/CVE-2025-48432
More information about the manjaro-security
mailing list