Context Navigation

← Previous Ticket
Next Ticket →

#36470 closed Cleanup/optimization (fixed)

Potential log injection in development server (runserver) logging

Reported by:	Natalia Bidart	Owned by:	YashRaj1506
Component:	Core (Management commands)	Version:	dev
Severity:	Normal	Keywords:	runserver log_message
Cc:	Jake Howard	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by Natalia Bidart)

django.core.servers.basehttp.WSGIRequestHandler.log_message() may emit log records that are not properly escaped or sanitized, making it possible for specially crafted requests to inject terminal escape sequences or misleading log content. This only affects the internal development server (runserver command). Per the documentation, this server is not intended for production use and has not been security-audited.

Although this is not considered a vulnerability, a fix for defense-in-depth should be applied, also to avoid confusion and future security reports about the same thing. This fix would be in line to what Python does for esacaping.

Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the security mailing list.

Change History (10)

comment:1 by David Sanders, 4 months ago

Triage Stage:	Unreviewed → Accepted

comment:2 by Jake Howard, 4 months ago

Cc:	Jake Howard added

comment:3 by Natalia Bidart, 4 months ago

I think that an ideal solution would be to use django.utils.log.log_response() to implemenet django.core.servers.basehttp.WSGIRequestHandler.log_message().

comment:4 by Natalia Bidart, 4 months ago

Description:	modified (diff)

comment:5 by YashRaj1506, 4 months ago

Owner:	set to YashRaj1506
Status:	new → assigned

comment:6 by houston0222, 4 months ago

Has patch:	set

I noticed this ticket was recently assigned.
I’ve already submitted a PR to fix the issue, including a regression test:
https://github.com/django/django/pull/19592

Happy to collaborate if needed!

This patch strips ANSI escape codes from log_message() arguments in the development server to prevent terminal log injection.
It includes a regression test to verify the behavior.

Last edited 4 months ago by houston0222 (previous) (diff)

comment:7 by Natalia Bidart, 4 months ago

Patch needs improvement:	set

comment:8 by YashRaj1506, 3 weeks ago

Patch needs improvement:	unset

comment:9 by nessita <124304+nessita@…>, 29 hours ago

Resolution:	→ fixed
Status:	assigned → closed

In 9bb8392:

Fixed #36470 -- Prevented log injection in runserver when handling NOT FOUND.

Migrated WSGIRequestHandler.log_message() to use a more robust
log_message() helper, which was based of log_response() via factoring out
the common bits.

Refs CVE-2025-48432.

Co-authored-by: Natalia <124304+nessita@…>

comment:10 by Natalia <124304+nessita@…>, 29 hours ago

In f5b6ed78:

[6.0.x] Fixed #36470 -- Prevented log injection in runserver when handling NOT FOUND.

Migrated WSGIRequestHandler.log_message() to use a more robust
log_message() helper, which was based of log_response() via factoring out
the common bits.

Refs CVE-2025-48432.

Co-authored-by: Natalia <124304+nessita@…>

Backport of 9bb83925d6c231e964f8b54efbc982fb1333da27 from main.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues