Fixed CVE-2025-48432 -- Escaped formatting arguments in log_response().

Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.

To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.

Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.

Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>

docs/releases/4.2.22.txt

@@ -5,3 +5,17 @@ Django 4.2.22 release notes
 *June 4, 2025*
 
 Django 4.2.22 fixes a security issue with severity "low" in 4.2.21.
+
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.

docs/releases/5.1.10.txt

@@ -5,3 +5,17 @@ Django 5.1.10 release notes
 *June 4, 2025*
 
 Django 5.1.10 fixes a security issue with severity "low" in 5.1.9.
+
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.

docs/releases/5.2.2.txt

@@ -7,6 +7,20 @@ Django 5.2.2 release notes
 Django 5.2.2 fixes a security issue with severity "low" and several bugs in
 5.2.1.
 
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.
+
 Bugfixes
 ========