[Django] #36470: Potential log injection in development server (runserver) logging
13 views
Skip to first unread message
Django
Jun 18, 2025, 8:08:52 AMJun 18
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Management commands)
Version: dev | Severity: Normal
Keywords: runserver | Triage Stage:
log_message | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
`django.core.servers.basehttp.WSGIRequestHandler.log_response()` may emit
log records that are not properly escaped or sanitized, making it possible
for specially crafted requests to inject terminal escape sequences or
misleading log content. This only affects the internal development server
(`runserver` command). Per the documentation, this server is not intended
for production use and has not been security-audited.
Although this is not considered a vulnerability, a fix for defense-in-
depth should be applied, also to avoid confusion and future security
reports about the same thing. This fix would be in line to what
[https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626
Python does for esacaping].
Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the
security mailing list.
--
Ticket URL: <https://code.djangoproject.com/ticket/36470>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Management commands)
Version: dev | Severity: Normal
Keywords: runserver | Triage Stage:
log_message | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
`django.core.servers.basehttp.WSGIRequestHandler.log_response()` may emit
log records that are not properly escaped or sanitized, making it possible
for specially crafted requests to inject terminal escape sequences or
misleading log content. This only affects the internal development server
(`runserver` command). Per the documentation, this server is not intended
for production use and has not been security-audited.
Although this is not considered a vulnerability, a fix for defense-in-
depth should be applied, also to avoid confusion and future security
reports about the same thing. This fix would be in line to what
[https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626
Python does for esacaping].
Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the
security mailing list.
--
Ticket URL: <https://code.djangoproject.com/ticket/36470>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jun 18, 2025, 8:11:46 AMJun 18
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
-------------------------------------+-------------------------------------
Type: | Status: new
Cleanup/optimization |
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by David Sanders):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:1>
Django
Jun 18, 2025, 9:26:37 AMJun 18
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jake Howard):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Jake Howard (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:2>
Django
Jun 18, 2025, 10:00:09 AMJun 18
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
I think that an ideal solution would be to use
`django.utils.log.log_response()` to implemenet
`django.core.servers.basehttp.WSGIRequestHandler.log_message()`.
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:3>
Django
Jun 18, 2025, 10:00:28 AMJun 18
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Natalia Bidart:
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
> `django.core.servers.basehttp.WSGIRequestHandler.log_response()` may emit
> log records that are not properly escaped or sanitized, making it
> possible for specially crafted requests to inject terminal escape
> sequences or misleading log content. This only affects the internal
> development server (`runserver` command). Per the documentation, this
> server is not intended for production use and has not been security-
> audited.
>
> Although this is not considered a vulnerability, a fix for defense-in-
> depth should be applied, also to avoid confusion and future security
> reports about the same thing. This fix would be in line to what
> [https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626
> Python does for esacaping].
>
> Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the
> security mailing list.
`django.core.servers.basehttp.WSGIRequestHandler.log_message()` may emit
log records that are not properly escaped or sanitized, making it possible
for specially crafted requests to inject terminal escape sequences or
misleading log content. This only affects the internal development server
(`runserver` command). Per the documentation, this server is not intended
for production use and has not been security-audited.
Although this is not considered a vulnerability, a fix for defense-in-
depth should be applied, also to avoid confusion and future security
reports about the same thing. This fix would be in line to what
[https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626
Python does for esacaping].
Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the
security mailing list.
--
--
for specially crafted requests to inject terminal escape sequences or
misleading log content. This only affects the internal development server
(`runserver` command). Per the documentation, this server is not intended
for production use and has not been security-audited.
Although this is not considered a vulnerability, a fix for defense-in-
depth should be applied, also to avoid confusion and future security
reports about the same thing. This fix would be in line to what
[https://github.com/python/cpython/blob/1c7efaf58a62d848421b2da97360ba3df7d7856b/Lib/http/server.py#L626
Python does for esacaping].
Thanks to "Kainan Zhang (@4xpl0r3r) from Fortinet" for the report in the
security mailing list.
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:4>
Django
Jun 25, 2025, 3:18:34 PMJun 25
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by YashRaj1506):
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: (none) => YashRaj1506
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:5>
Django
Jun 25, 2025, 4:26:48 PMJun 25
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 1 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by houston0222):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
Submitted a PR to address this issue:
https://github.com/django/django/pull/19592
This patch strips ANSI escape codes from log_message() arguments in the
development server to prevent terminal log injection.
It includes a regression test to verify the behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:6>
Django
Jun 25, 2025, 5:06:01 PMJun 25
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:7>
Django
Sep 30, 2025, 9:41:20 AMSep 30
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by YashRaj1506):
-------------------------------------+-------------------------------------
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:8>
Django
Oct 20, 2025, 3:21:45 PM (2 days ago) Oct 20
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: closed
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution: fixed
commands) |
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by nessita <124304+nessita@…>):
log_message |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"9bb83925d6c231e964f8b54efbc982fb1333da27" 9bb8392]:
{{{#!CommitTicketReference repository=""
revision="9bb83925d6c231e964f8b54efbc982fb1333da27"
Fixed #36470 -- Prevented log injection in runserver when handling NOT
FOUND.
Migrated `WSGIRequestHandler.log_message()` to use a more robust
`log_message()` helper, which was based of `log_response()` via factoring
out
the common bits.
Refs CVE-2025-48432.
Co-authored-by: Natalia <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:9>
Django
Oct 20, 2025, 3:22:42 PM (2 days ago) Oct 20
to django-...@googlegroups.com
#36470: Potential log injection in development server (runserver) logging
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: closed
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution: fixed
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner:
Type: | YashRaj1506
Cleanup/optimization | Status: closed
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution: fixed
Keywords: runserver | Triage Stage: Accepted
log_message |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"f5b6ed78200b2cbff71ec771e6f014de5d4abbd8" f5b6ed78]:
{{{#!CommitTicketReference repository=""
revision="f5b6ed78200b2cbff71ec771e6f014de5d4abbd8"
[6.0.x] Fixed #36470 -- Prevented log injection in runserver when handling
NOT FOUND.
Migrated `WSGIRequestHandler.log_message()` to use a more robust
`log_message()` helper, which was based of `log_response()` via factoring
out
the common bits.
Refs CVE-2025-48432.
Co-authored-by: Natalia <124304+...@users.noreply.github.com>
Backport of 9bb83925d6c231e964f8b54efbc982fb1333da27 from main.
Migrated `WSGIRequestHandler.log_message()` to use a more robust
`log_message()` helper, which was based of `log_response()` via factoring
out
the common bits.
Refs CVE-2025-48432.
Co-authored-by: Natalia <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36470#comment:10>
Reply all
Reply to author
Forward
0 new messages