CVE-2025-48432: Django Improper Output Neutralization for Logs vulnerability

The vulnerability lies in the django.utils.log.log_response function, which is responsible for logging HTTP responses. Prior to the patch, this function directly used the request.path in log messages. Since request.path can be controlled by an attacker (e.g., by crafting a malicious URL), it was possible to inject control characters (like newlines or ANSI escape sequences) into the logs. This could lead to log injection or forgery, where an attacker could manipulate the appearance or structure of the logs, potentially obscuring other attacks or misleading log analysis tools.

The patch addresses this by ensuring that all positional formatting arguments passed to the logger within log_response are escaped using unicode_escape encoding. This sanitizes the input and prevents the injection of control characters.

The runtime indicator for this vulnerability would be the django.utils.log.log_response function appearing in a stack trace or profiler output during the processing of a request that triggers the log injection. The key is that this function handles the request.path and passes it to the logging mechanism. The vulnerability is triggered when a crafted request.path containing control characters is processed by this function and subsequently written to the logs.

Other functions in the tests/logging_tests/tests.py file, such as test_control_chars_escaped, test_async_control_chars_escaped, and test_unicode_escape_escaping, were modified to add test cases for the fix. These functions themselves are not vulnerable but are part of the testing and validation of the mitigation. The core vulnerability resides in django.utils.log.log_response.