Miggo Logo
Miggo Vulnerability Database
CVE-2018-25045

CVE-2018-25045: Django REST framework XSS Vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2018-25045
GHSA ID
GHSA-xqcf-hj92-967m
EPSS Score
0.63981%
CWE
CWE-79
Published
7/24/2022
Updated
7/25/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
django-rest-frameworkpip< 3.9.13.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key factors:

  1. The base.html template explicitly disabled autoescaping via {% autoescape off %} around the response rendering logic, which removed Django's default XSS protections.
  2. The urlize_quoted_links filter's pre-patch implementation did not properly enforce escaping in autoescape-disabled contexts. It relied on manual escaping checks (safe_input and autoescape flags) but failed to ensure all user-controlled content was sanitized when autoescape was globally disabled in the template.

The combination of these two factors allowed untrusted input (e.g., content or response_headers values) to render without escaping. The commit diff shows the removal of {% autoescape off %} in base.html and fixes to urlize_quoted_links to use a unified conditional_escape helper, ensuring proper escaping regardless of the autoescape context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*j*n*o R*ST *r*m*work (*k* *j*n*o-r*st-*r*m*work) ***or* *.*.* *llows XSS ****us* t** ****ult *R* *rows**l* *PI vi*w t*mpl*t*s *is**l* *uto*s**pin*.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y ***tors: *. T** `**s*.*tml` t*mpl*t* *xpli*itly *is**l** *uto*s**pin* vi* `{% *uto*s**p* o** %}` *roun* t** r*spons* r*n**rin* lo*i*, w*i** r*mov** *j*n*o's ****ult XSS prot**tions. *. T** `urliz*_quot**_links`