CVE-2025-48383

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-48383
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48383.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-48383
Aliases
Downstream
Published
2025-05-27T15:03:10.062Z
Modified
2025-12-05T10:17:59.809456Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Django-Select2 Vulnerable to Widget Instance Secret Cache Key Leaking
Details

Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets and restricted data. This issue has been patched in version 8.4.1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-402",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48383.json"
}
References

Affected packages

Git / github.com/codingjoe/django-select2

Affected ranges

Type
GIT
Repo
https://github.com/codingjoe/django-select2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e5f41e6edba004d35f94915ff5e2559f44853412

Affected versions

4.*

4.3.2

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.1.0
5.1.1
5.10.0
5.11.0
5.11.1
5.2.0
5.2.1
5.3.0
5.3.1
5.4.0
5.4.1
5.4.2
5.4.3
5.5.0
5.6.0
5.7.0
5.7.1
5.8.0
5.8.1
5.8.10
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9
5.9.0

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.1.0
6.1.1
6.1.2
6.2.0
6.3.0
6.3.1

7.*

7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.1.0
7.1.1
7.1.2
7.10.0
7.10.1
7.11.0
7.11.1
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.3.0
7.3.1
7.4.0
7.4.1
7.4.2
7.5.0
7.6.0
7.6.1
7.6.2
7.7.0
7.7.1
7.7.2
7.7.3
7.8.1
7.9.0

8.*

8.0.0
8.1.0
8.1.1
8.1.2
8.2.0
8.2.1
8.2.2
8.2.3
8.3.0
8.4.0