Forum: >>> Magnum BBS <<<

Bug#1106747: django-select2: CVE-2025-48383

From Salvatore Bonaccorso@21:1/5 to All on Thu May 29 07:10:01 2025

Source: django-select2
Version: 7.10.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for django-select2.

CVE-2025-48383[0]:
| Django-Select2 is a Django integration for Select2. Prior to version
| 8.4.1, instances of HeavySelect2Mixin subclasses like the
| ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret
| access tokens across requests. This can allow users to access
| restricted query sets and restricted data. This issue has been
| patched in version 8.4.1.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-48383
https://www.cve.org/CVERecord?id=CVE-2025-48383
[1] https://github.com/codingjoe/django-select2/security/advisories/GHSA-wjrh-hj83-3wh7
[2] https://github.com/codingjoe/django-select2/commit/e5f41e6edba004d35f94915ff5e2559f44853412

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	492
Nodes:	16 (2 / 14)
Uptime:	147:56:19
Calls:	9,697
Calls today:	7
Files:	13,732
Messages:	6,178,740