CVE-2025-48432

NameCVE-2025-48432
DescriptionAn issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4210-1, DSA-6136-1
Debian Bugs1107282, 1107616

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)bullseye2:2.2.28-1~deb11u2vulnerable
bullseye (security)2:2.2.28-1~deb11u12fixed
bookworm3:3.2.19-1+deb12u1vulnerable
bookworm (security)3:3.2.25-0+deb12u2fixed
trixie (security), trixie3:4.2.28-0+deb13u1fixed
forky, sid3:4.2.30-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosourcebullseye2:2.2.28-1~deb11u7DLA-4210-1
python-djangosourcebookworm3:3.2.25-0+deb12u1DSA-6136-1
python-djangosource(unstable)3:4.2.23-11107282, 1107616

Notes

https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
Fixed by: https://github.com/django/django/commit/ac03c5e7df8680c61cdb0d3bdb8be9095dba841e (4.2.22)
Initial 4.2.22 release didn't fix it fully: https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
Follow up: https://github.com/django/django/commit/b597d46bb19c8567615e62029210dab16c70db7d (4.2.23)
Search for package or bug name: Reporting problems