The Django development team has released critical security patches addressing two significant vulnerabilities that could expose applications to denial-of-service attacks and SQL injection exploits.
The security releases for Django 5.2.8, 5.1.14, and 4.2.26 were published on November 5, 2025, in accordance with Django’s standard security release policy.
The two disclosed vulnerabilities pose different levels of risk to deployed Django applications. A high-severity SQL injection vulnerability affects QuerySet operations.
At the same time, a moderate-severity denial-of-service flaw impacts Windows-based installations. Django developers should prioritize updating their deployments to the patched versions immediately.
| CVE ID | Vulnerability | Severity | CVSS Score | Affected Versions |
|---|---|---|---|---|
| CVE-2025-64458 | DoS via HttpResponseRedirect/HttpResponsePermanentRedirect on Windows | Moderate | 5.3 | Django 4.2, 5.1, 5.2, 6.0 (beta) |
| CVE-2025-64459 | SQL Injection via _connector Keyword Argument in QuerySet | High | 9.8 | Django 4.2, 5.1, 5.2, 6.0 (beta) |
SQL Injection Vulnerability in QuerySet Operations
The more critical vulnerability, designated CVE-2025-64459, impacts Django’s QuerySet filtering operations.
Security researchers discovered that the QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() methods along with the Q() class are susceptible to SQL injection when developers use a specially crafted dictionary with dictionary expansion as the _connector argument.
This vulnerability allows attackers to inject malicious SQL commands into database queries, potentially enabling unauthorized access, modification, or deletion of data.
The severity of this vulnerability stems from its accessibility. Developers using these everyday QuerySet operations could inadvertently introduce SQL injection vulnerabilities if they process untrusted user input without proper validation.
An attacker exploiting this flaw could bypass application security controls and execute arbitrary SQL commands directly against the underlying database, making this a critical concern for production environments.
Denial-of-Service Flaw on Windows Systems
CVE-2025-64458 addresses a denial-of-service vulnerability affecting the HttpResponseRedirect and HttpResponsePermanentRedirect functions on Windows platforms.
The issue involves inefficient NFKC Unicode normalization processing in Python, which becomes problematic when handling inputs containing large numbers of Unicode characters.
Attackers could craft specially crafted requests with excessive Unicode data, causing the normalization process to consume significant system resources and rendering the application unresponsive.
While this vulnerability is classified as moderate severity, Windows administrators should remain vigilant as successful exploitation could disrupt service availability.
The attack requires no authentication and can be executed remotely, making it a potential vector for malicious actors targeting Windows-deployed Django applications.
Patches addressing both vulnerabilities have been applied across all affected Django versions, including the development main branch and Django 6.0 beta.
Organizations running Django 4.2, 5.1, or 5.2 should update immediately to the patched releases.
The affected versions represent a substantial portion of deployed Django installations, making this a widespread security concern affecting the broader Django ecosystem.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.