📅 Sep 4, 2025 ✍️ Cybernoz 📁 GBHackers 💬 0 ⏱️ 2 min

Django Web Vulnerability Allows Attackers to Execute SQL Injection

Django Web Vulnerability Allows Attackers to Execute SQL Injection

The Django development team has issued security updates after discovering a high-severity SQL injection flaw in the FilteredRelation feature.

This flaw could allow attackers to run harmful database commands by crafting unexpected query parameters. Users running Django 5.2, 5.1, or 4.2 should upgrade immediately to protect their applications.

Web Vulnerability Details

Django’s FilteredRelation feature helps developers write complex database queries by adding extra columns based on filters.

However, it did not properly validate dictionary keys when used with QuerySet.annotate() or QuerySet.alias().

An attacker could pass a malicious dictionary that changes how column aliases are built, injecting SQL code directly into the database query. Such an attack can reveal sensitive data or alter records without permission.

CVE ID Description Severity Affected Versions Fixed Releases
CVE-2025-57833 SQL injection in FilteredRelation column aliases High main, 5.2, 5.1, 4.2 5.2.6, 5.1.12, 4.2.24

Affected Versions

All supported versions at the time of discovery were affected, including:

  • Django main (development branch)
  • Django 5.2
  • Django 5.1
  • Django 4.2

The team has applied patches in each branch to fix the alias handling logic. These patches are available via the Django GitHub repository.

Resolution and Patches

The security fixes have been merged into the main development branch and the maintained release branches. Users can review and apply the patches from the following commits:

  • Main branch: 51711717098d3f469f795dfa6bc3758b24f69ef7
  • 5.2 branch: 4c044fcc866ec226f612c475950b690b0139d243
  • 5.1 branch: 102965ea93072fe3c39a30be437c683ec1106ef5
  • 4.2 branch: 31334e6965ad136a5e369993b01721499c5d1a92

After applying these patches, developers should run their test suites before deploying to production.

To simplify the upgrade process, the team has published new Django releases. Each contains the security fix and other minor improvements:

Each release uses the PGP key ID 3955B19851EA96EF for verification. Users should verify downloads before upgrading.

If you find a security issue in Django, do not post it publicly. Instead, email details to [email protected]. The team follows a strict disclosure policy to protect users. For more information, see Django’s security policy.

Stay Secure Upgrade to Django 5.2.6, 5.1.12, or 4.2.24 to protect your applications from SQL injection attacks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.


Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.