Django-Select2 Anfällig für Offenlegung des Secret Cache Keys des Widget-Instances
Plattform
python
Komponente
django-select2
Behoben in
8.4.2
8.4.1
CVE-2025-48383 is a high-severity vulnerability affecting versions of django-select2 up to 8.4.0. This vulnerability allows for the potential leakage of access tokens, which could lead to unauthorized access to restricted querysets and sensitive data. The issue is patched in version 8.4.1 and later, and workarounds are available for specific deployment scenarios.
Erkenne diese CVE in deinem Projekt
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.
Auswirkungen und Angriffsszenarienwird übersetzt…
The core of this vulnerability lies within the HeavySelect2Mixin and its subclasses, such as ModelSelect2MultipleWidget and ModelSelect2Widget. An attacker can potentially exploit this flaw to access restricted querysets and data by leveraging the leakage of access tokens across requests. This could involve gaining unauthorized access to sensitive information, manipulating data, or even escalating privileges within the application. The impact is particularly severe in environments where access tokens are used to control access to critical resources or data.
Ausnutzungskontextwird übersetzt…
This CVE was publicly disclosed on 2025-05-27. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's impact is dependent on specific deployment patterns and access token management practices, making widespread exploitation less likely without targeted attacks. It is not currently listed on CISA KEV.
Wer Ist Gefährdetwird übersetzt…
Applications using django-select2 versions 8.4.0 and earlier are at risk, particularly those that rely on access tokens for authorization and where widgets are initialized during application loading. Shared hosting environments utilizing vulnerable versions of django-select2 are also at increased risk.
Erkennungsschrittewird übersetzt…
• python / application: Examine application code for instances of HeavySelect2Mixin and related widgets. Check for unusual access token handling or storage.
# Example: Check for widget initialization during app loading
import inspect
import django
django.setup()
from .models import MyModel
from .forms import MyForm
# Check if MyForm's widgets are initialized during app loading
form = MyForm()
print(inspect.getmembers(form.fields['my_select_field'].widget))Angriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.29% (52% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Niedrig — Angreifer kann einige Daten mit begrenztem Umfang ändern.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- EPSS aktualisiert
Mitigation und Workaroundswird übersetzt…
The primary mitigation for CVE-2025-48383 is to upgrade to django-select2 version 8.4.1 or a later version, which contains the fix. If upgrading is not immediately feasible, a workaround exists for cases where widget instances are created during application loading, rather than during a request. Carefully review your code to identify any instances where widgets are initialized during app loading and implement appropriate access controls to prevent token leakage. Consider implementing stricter access control policies and regularly auditing your application for potential vulnerabilities.
So beheben
Aktualisieren Sie die django-select2 Bibliothek auf Version 8.4.1 oder höher. Dies behebt die Schwachstelle der Secret Access Token Leaks. Sie können mit pip aktualisieren: `pip install django-select2==8.4.1`.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2025-48383 — Access Token Leak in django-select2?
CVE-2025-48383 is a high-severity vulnerability in django-select2 versions up to 8.4.0 that allows access tokens to be leaked, potentially granting unauthorized access to data.
Am I affected by CVE-2025-48383 in django-select2?
You are affected if you are using django-select2 version 8.4.0 or earlier and your application initializes widgets during app loading.
How do I fix CVE-2025-48383 in django-select2?
Upgrade to django-select2 version 8.4.1 or later. If upgrading is not possible, implement workarounds to prevent token leakage during app loading.
Is CVE-2025-48383 being actively exploited?
There is no confirmed active exploitation of CVE-2025-48383 at this time, but the potential for exploitation exists.
Where can I find the official django-select2 advisory for CVE-2025-48383?
Refer to the django-select2 project's official documentation and release notes for details on this vulnerability and the available fix.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.