CVE-2025-48383
📋 TL;DR
Django-Select2 versions before 8.4.1 leak secret access tokens across requests in HeavySelect2Mixin subclasses, allowing unauthorized users to access restricted query sets and data. This affects Django applications using ModelSelect2MultipleWidget or ModelSelect2Widget components. The vulnerability enables data exposure of protected information.
💻 Affected Systems
- django-select2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive/restricted data, potentially exposing confidential information, user data, or internal system details.
Likely Case
Unauthorized users access restricted query sets they shouldn't have permission to view, leading to data leakage of protected information.
If Mitigated
With proper access controls and network segmentation, impact is limited to data exposure within authorized user scope.
🎯 Exploit Status
Exploitation requires user interaction with affected widgets and knowledge of token leakage mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.4.1
Vendor Advisory: https://github.com/codingjoe/django-select2/security/advisories/GHSA-wjrh-hj83-3wh7
Restart Required: Yes
Instructions:
1. Update django-select2 package: pip install django-select2==8.4.1
2. Restart Django application server
3. Verify no regressions in select2 widget functionality
🔧 Temporary Workarounds
Disable affected widgets
allTemporarily disable ModelSelect2MultipleWidget and ModelSelect2Widget components until patching
Replace affected widgets with standard Django form widgets in your code
🧯 If You Can't Patch
- Implement additional access controls at application layer to restrict data exposure
- Monitor logs for unusual access patterns to select2 endpoints
🔍 How to Verify
Check if Vulnerable:
Check django-select2 version: pip show django-select2 | grep VersionCheck Version:
pip show django-select2 | grep VersionVerify Fix Applied:
Confirm version is 8.4.1 or higher and test select2 widgets for functionality📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to select2 endpoints
- Requests with unexpected token parameters
Network Indicators:
- Abnormal traffic to /select2/ endpoints
SIEM Query:
source="django" AND (uri_path="/select2/*" OR user_agent="*select2*")