June 4, 2025
Django 5.1.10 fixes a security issue with severity “low” in 5.1.9.
Internal HTTP response logging used request.path directly, allowing control
characters (e.g. newlines or ANSI escape sequences) to be written unescaped
into logs. This could enable log injection or forgery, letting attackers
manipulate log appearance or structure, especially in logs processed by
external systems or viewed in terminals.
Although this does not directly impact Django’s security model, it poses risks
when logs are consumed or interpreted by other tools. To fix this, the internal
django.utils.log.log_response() function now escapes all positional
formatting arguments using a safe encoding.
Jul 26, 2025