CVE-2018-25045: Django REST framework XSS Vulnerability
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.63981%
CWE
Published
7/24/2022
Updated
7/25/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| django-rest-framework | pip | < 3.9.1 | 3.9.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from two key factors:
- The
base.htmltemplate explicitly disabled autoescaping via{% autoescape off %}around the response rendering logic, which removed Django's default XSS protections. - The
urlize_quoted_linksfilter's pre-patch implementation did not properly enforce escaping in autoescape-disabled contexts. It relied on manual escaping checks (safe_inputandautoescapeflags) but failed to ensure all user-controlled content was sanitized when autoescape was globally disabled in the template.
The combination of these two factors allowed untrusted input (e.g., content or response_headers values) to render without escaping. The commit diff shows the removal of {% autoescape off %} in base.html and fixes to urlize_quoted_links to use a unified conditional_escape helper, ensuring proper escaping regardless of the autoescape context.