An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2025:01952-1 advisory.

    - CVE-2025-48432: log injection or forgery due to unescaped control characters being added into logs     (bsc#1244095).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-ad58eb378b advisory.

    - Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
    - Fixes CVE-2025-48432: Potential log injection via unescaped request path

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-2dff80a8a3 advisory.

    - Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
    - Fixes CVE-2025-48432: Potential log injection via unescaped request path

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-6de2ab1d25 advisory.

     - Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
     - Fixes CVE-2025-48432: Potential log injection via unescaped request path


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-d4849e6cf3 advisory.

     - Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
     - Fixes CVE-2025-48432: Potential log injection via unescaped request path


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4210 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4210-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                           Chris Lamb     June 09, 2025                                 https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : python-django     Version        : 2:2.2.28-1~deb11u7     CVE IDs        : CVE-2025-48432 CVE-2025-32873 CVE-2023-41164 CVE-2023-43665 CVE-2024-24680 CVE-2024-27351     Debian Bugs    : 1107282 1104872 1051226

    A number of vulnerabilities were discovered in Django, a popular     Python-based web-development framework:

     * CVE-2025-48432: Potential log injection via unescaped request path.

       Django's internal HTTP response logging used request.path directly,        allowing control characters (e.g. newlines or ANSI escape sequences) to        be written unescaped into logs. This could enable log injection or        forgery, letting attackers manipulate log appearance or structure,        especially in logs processed by external systems or viewed in terminals.
       (Closes: #1107282)

     * CVE-2025-32873: Denial-of-service possibility in strip_tags()

       django.utils.html.strip_tags() would be slow to evaluate certain inputs        containing large sequences of incomplete HTML tags. This function is used        to implement the striptags template filter, which was therefore also        vulnerable. strip_tags() now raises a SuspiciousOperation exception if it        encounters an unusually large number of unclosed opening tags.
       (Closes: #1104872)

     * CVE-2023-41164: Potential denial of service vulnerability in        django.utils.encoding.uri_to_iri(). This method was subject to potential        denial of service attack via certain inputs with a very large number of        Unicode characters. (Closes: #1051226)

     * CVE-2023-43665: Address a denial-of-service possibility in        django.utils.text.Truncator.

       Following the fix for CVE-2019-14232, the regular expressions used in the        implementation of django.utils.text.Truncator??s chars() and words()        methods (with html=True) were revised and improved. However, these        regular expressions still exhibited linear backtracking complexity, so        when given a very long, potentially malformed HTML input, the evaluation        would still be slow, leading to a potential denial of service        vulnerability. The chars() and words() methods are used to        implement the truncatechars_html and truncatewords_html template        filters, which were thus also vulnerable. The input processed by        Truncator, when operating in HTML mode, has been limited to the        first five million characters in order to avoid potential        performance and memory issues.

     * CVE-2024-24680: Potential denial-of-service in intcomma template        filter. The intcomma template filter was subject to a potential        denial-of-service attack when used with very long strings.

     * CVE-2024-27351: Fix a potential regular expression denial-of-service        (ReDoS) attack in django.utils.text.Truncator.words. This method (with        html=True) and the truncatewords_html template filter were subject to a        potential regular expression denial-of-service attack via a suitably        crafted string. This is, in part, a follow up to CVE-2019-14232 and        CVE-2023-43665.

    For Debian 11 bullseye, these problems have been fixed in version     2:2.2.28-1~deb11u7.

    We recommend that you upgrade your python-django packages.

    For the detailed security status of python-django please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/python-django

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The detected version of the Django Python package, Django, is 4.2.x prior to 4.2.22, 5.1.x prior to 5.1.10 or 5.2.x prior to  5.2.2. It is, therefore, affected by a log injection vulnerability as disclosed in Django's June 4th, 2025 security advisory. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 / 25.04 host has a package installed that is affected by a vulnerability as referenced in the USN-7555-1 advisory.

    It was discovered that Django incorrectly handled certain unescaped request paths. An attacker could     possibly use this issue to perform a log injection.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
240816	SUSE SLES15 / openSUSE 15 Security Update : python-Django (SUSE-SU-2025:01952-1)	Nessus	SuSE Local Security Checks	medium
240179	Fedora 42 : python-django5 (2025-ad58eb378b)	Nessus	Fedora Local Security Checks	high
240175	Fedora 41 : python-django5 (2025-2dff80a8a3)	Nessus	Fedora Local Security Checks	high
240169	Fedora 42 : python-django4.2 (2025-6de2ab1d25)	Nessus	Fedora Local Security Checks	high
240092	Fedora 41 : python-django4.2 (2025-d4849e6cf3)	Nessus	Fedora Local Security Checks	medium
238025	Debian dla-4210 : python-django-doc - security update	Nessus	Debian Local Security Checks	high
237889	Python Library Django 4.2.x < 4.2.22 / 5.1.x < 5.1.10 / 5.2.x < 5.2.2 Log Injection	Nessus	Misc.	medium
237870	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 / 25.04 : Django vulnerability (USN-7555-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2025-48432

medium

Tenable Plugins

medium

high

high

high

medium

high

medium

medium