Django, one of the most popular Python web development frameworks, has disclosed two critical security vulnerabilities that could allow attackers to execute SQL injection attacks and launch denial-of-service attacks.
The vulnerabilities, identified as CVE-2025-64458 and CVE-2025-64459, affect core components of the framework and require immediate attention from developers using Django in their applications.
The more serious of the two vulnerabilities, CVE-2025-64459, carries a high severity rating and involves a potential SQL injection weakness in Django’s QuerySet and Q objects.
SQL Injection and Windows-Specific DoS Vulnerability
Security researcher Cyberstan discovered that the QuerySet.The filter(), QuerySet.exclude(), and QuerySet.get() methods, along with the Q() class, are vulnerable when processing specially crafted dictionaries that use the _connector keyword argument with dictionary expansion.
This flaw could enable malicious actors to inject arbitrary SQL commands into database queries, potentially compromising sensitive data or gaining unauthorized access to backend systems.
SQL injection remains one of the most dangerous web application vulnerabilities, making this discovery particularly concerning for organizations relying on Django for their web infrastructure.
The second vulnerability, CVE-2025-64458, affects Django installations running on Windows.
| CVE ID | Vulnerability Type | Affected Versions | CVSS Score |
|---|---|---|---|
| CVE-2025-64458 | Denial-of-Service (DoS) | Django 4.2, 5.1, 5.2, 6.0 (beta) | 5.3 |
| CVE-2025-64459 | SQL Injection | Django 4.2, 5.1, 5.2, 6.0 (beta) | 9.8 |
Seokchan Yoon from ch4n3.KR identified this moderate-severity denial-of-service weakness in the HttpResponseRedirect and HttpResponsePermanentRedirect functions. The issue stems from slow NFKC normalization in Python on Windows.
Attackers can exploit this performance bottleneck by submitting inputs containing vast numbers of Unicode characters, causing the application to consume excessive resources and potentially become unresponsive.
Although rated moderate severity, this vulnerability could still disrupt services and affect user experience on Windows-based Django deployments.
Django developers should update their installations to the latest patched versions as soon as possible.
Organizations using Django on Windows systems should pay particular attention to the DoS vulnerability. At the same time, all Django users must address the SQL injection flaw regardless of their operating system.
Regular security updates and following Django’s security best practices remain essential for maintaining secure web applications.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
