PyPI: django

CVE-2024-45231

Safety vulnerability ID: SFTY-20241008-30956

Safety legacy ID: pyup.io-73028

A security vulnerability has been discovered in certain versions of Django, affecting the password reset functionality. The PasswordResetForm class in django.contrib.auth.forms inadvertently allowed attackers to enumerate user email addresses by exploiting unhandled exceptions during the email sending process. This could be done by issuing password reset requests and observing the responses. Django has implemented a fix where these exceptions are now caught and logged using the django.contrib.auth logger, preventing potential information leakage through error responses.

PythonPyPINVDNVDGitHubGHSA
Created at: Nov 6, 2025Updated at: Nov 6, 2025

Overview

Django allows enumeration of user e-mail addresses

Advisory

A security vulnerability has been discovered in certain versions of Django, affecting the password reset functionality. The PasswordResetForm class in django.contrib.auth.forms inadvertently allowed attackers to enumerate user email addresses by exploiting unhandled exceptions during the email sending process. This could be done by issuing password reset requests and observing the responses. Django has implemented a fix where these exceptions are now caught and logged using the django.contrib.auth logger, preventing potential information leakage through error responses.

Affected Package

Affecting django package, versions
<4.2.16
>=5.0a1,<5.0.9
>=5.1a1,<5.1.1

Also affects

---

How to Fix

Upgrade
django
to
4.2.16
5.0.9
5.1.1
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more