Django-Select2 HeavySelect2Mixin Secret Token Leakage Vulnerability

A vulnerability exists in Django-Select2 versions prior to 8.4.1, where instances of HeavySelect2Mixin subclasses, such as ModelSelect2MultipleWidget and ModelSelect2Widget, can inadvertently leak secret access tokens across requests. This leakage may enable users to access restricted query sets and sensitive data.

Impact

Exploitation of this vulnerability allows for unauthorized access to restricted query sets and data, due to the leakage of secret access tokens between requests.

Reproduction

The vulnerability can be reproduced by creating instances of the affected widget classes during application loading, rather than within a request context. This can be done by specifying the widget class itself in a Django form, which will result in the leakage of access tokens across requests.

Remediation

Users can upgrade to Django-Select2 version 8.4.1 or later to address this vulnerability. For those unable to upgrade, a workaround is to pass the widget class instead of an instance when defining form widgets, which can prevent the leakage of access tokens.