https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
Following the June 4, 2025 security release, the Django team is issuing releases for `Django 5.2.3 <https://docs.djangoproject.com/en/dev/releases/5.2.3/>`_, `Django 5.1.11 <https://docs.djangoproject.com/en/dev/releases/5.1.11/>`_, and `Django 4.2.23 <https://docs.djangoproject.com/en/dev/releases/4.2.23/>`_ to complete mitigation for CVE-2025-48432: Potential log injection via unescaped request path (`full description < https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>`_). These follow-up releases migrate remaining response logging paths to a safer logging implementation, ensuring that all untrusted input is properly escaped before being written to logs. This update does not introduce a new CVE but strengthens the original fix. We encourage all users of Django to upgrade as soon as possible. Affected supported versions =========================== * Django main * Django 5.2 * Django 5.1 * Django 4.2 Resolution ========== Patches to resolve the issue have been applied to Django's main, 5.2, 5.1, and 4.2 branches. The patches may be obtained from the following changesets. CVE-2025-48432: Potential log injection via unescaped request path ------------------------------------------------------------------ * On the `main branch < https://github.com/django/django/commit/957951755259b412d5113333b32bf85871d29814/ >`__ * On the `5.2 branch < https://github.com/django/django/commit/8fcc83953c350e158a484bf1da0aa1b79b69bb07/ >`__ * On the `5.1 branch < https://github.com/django/django/commit/31f4bd31fa16f7f5302f65b9b8b7a49b69a7c4a6/ >`__ * On the `4.2 branch < https://github.com/django/django/commit/b597d46bb19c8567615e62029210dab16c70db7d/ >`__ The following releases have been issued ======================================= * Django 5.2.3 (`download Django 5.2.3 <https://www.djangoproject.com/download/5.2.3/tarball/>`_ | `5.2.3 checksums <https://www.djangoproject.com/download/5.2.3/checksum/>`_) * Django 5.1.11 (`download Django 5.1.11 <https://www.djangoproject.com/download/5.1.11/tarball/>`_ | `5.1.11 checksums <https://www.djangoproject.com/download/5.1.11/checksum/>`_) * Django 4.2.23 (`download Django 4.2.23 <https://www.djangoproject.com/download/4.2.23/tarball/>`_ | `4.2.23 checksums <https://www.djangoproject.com/download/4.2.23/checksum/>`_) The PGP key ID used for this release is : `3955B19851EA96EF < https://github.com/sarahboyce.gpg>`_
