The Django development team has released critical security patches for three major versions of the popular Python web framework, addressing two significant vulnerabilities that could expose applications to SQL injection attacks and denial-of-service conditions.
The updates, issued on December 2, 2025, affect Django versions 5.2.9, 5.1.15, and 4.2.27, as well as the upcoming Django 6.0 release candidate and the main development branch.
| CVE ID | Vulnerability | Severity |
|---|---|---|
| CVE-2025-13372 | SQL Injection in FilteredRelation | High |
| CVE-2025-64460 | Denial-of-Service in XML Serializer | Moderate |
High-Severity SQL Injection Vulnerability
The first vulnerability, tracked as CVE-2025-13372, represents a high-severity SQL injection flaw in the FilteredRelation feature when used with PostgreSQL databases.
Security researcher Stackered discovered that attackers could exploit this weakness by passing specially crafted dictionaries with dictionary expansion as keyword arguments to QuerySet.annotate() or QuerySet.alias() methods.
The vulnerability specifically affects the column aliases in FilteredRelation, allowing malicious actors to inject arbitrary SQL code into database queries.
This type of attack could enable unauthorized access, modification, or deletion of data within affected Django applications running on PostgreSQL.
Moderate-Severity Denial-of-Service Issue
The second vulnerability, CVE-2025-64460, poses a moderate-severity denial-of-service threat within Django’s XML serialization functionality.
Security researcher Seokchan Yoon identified an algorithmic complexity issue in the django.core.serializers.xml_serializer.getInnerText() function.
Attackers can exploit this weakness by submitting specially crafted XML input to services that invoke the XML Deserializer, triggering excessive CPU and memory consumption.
The vulnerability stems from repeated string concatenation operations during recursive text node collection, leading to superlinear computational complexity that can degrade service performance or cause complete outages.
The vulnerabilities impact all currently supported Django versions, including Django 4.2, 5.1, 5.2, and the upcoming 6.0 release candidate.
The Django security team has published patches for all affected branches on GitHub and released updated versions available for download from the official Django website.
The updates were signed with PGP key ID 2EE82A8D9470983E belonging to Natalia Bidart.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.