June 10, 2025

Django bugfix releases issued: 5.2.3, 5.1.11, and 4.2.23

published by	Sarah Boyce
in blog	The Django weblog
original entry	Django bugfix releases issued: 5.2.3, 5.1.11, and 4.2.23

Following the June 4, 2025 security release, the Django team is issuing releases for Django 5.2.3, Django 5.1.11, and Django 4.2.23 to complete mitigation for CVE-2025-48432: Potential log injection via unescaped request path (full description).

These follow-up releases migrate remaining response logging paths to a safer logging implementation, ensuring that all untrusted input is properly escaped before being written to logs. This update does not introduce a new CVE but strengthens the original fix.

We encourage all users of Django to upgrade as soon as possible.

Affected supported versions

Django main
Django 5.2
Django 5.1
Django 4.2

Resolution

Patches to resolve the issue have been applied to Django's main, 5.2, 5.1, and 4.2 branches. The patches may be obtained from the following changesets.

CVE-2025-48432: Potential log injection via unescaped request path

On the main branch
On the 5.2 branch
On the 5.1 branch
On the 4.2 branch

The following releases have been issued

Django 5.2.3 (download Django 5.2.3 | 5.2.3 checksums)
Django 5.1.11 (download Django 5.1.11 | 5.1.11 checksums)
Django 4.2.23 (download Django 4.2.23 | 4.2.23 checksums)

The PGP key ID used for this release is : 3955B19851EA96EF