CVE-2025-64459

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.djangoproject.com/en/dev/releases/security/	Vendor Advisory
https://groups.google.com/g/django-announce	Mailing List
https://www.djangoproject.com/weblog/2025/nov/05/security-releases/	Vendor Advisory
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django::::::::

History

No history.

Information

Published : 2025-11-05 15:15

Updated : 2025-11-10 18:25

NVD link : CVE-2025-64459

Mitre link : CVE-2025-64459

CVE.ORG link : CVE-2025-64459

JSON object : View

Products Affected

djangoproject

django

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-64459", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2025-11-05T15:15:41.080", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "tags": ["Vendor Advisory"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://groups.google.com/g/django-announce", "tags": ["Mailing List"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://www.djangoproject.com/weblog/2025/nov/05/security-releases/", "tags": ["Vendor Advisory"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en 5.1 anterior a 5.1.14, 4.2 anterior a 4.2.26 y 5.2 anterior a 5.2.8. Los m\u00e9todos 'QuerySet.filter()', 'QuerySet.exclude()' y 'QuerySet.get()', y la clase 'Q()', est\u00e1n sujetos a inyecci\u00f3n SQL cuando se utiliza un diccionario adecuadamente dise\u00f1ado, con expansi\u00f3n de diccionario, como argumento '_connector'. Series anteriores de Django sin soporte (como 5.0.x, 4.1.x y 3.2.x) no fueron evaluadas y tambi\u00e9n pueden verse afectadas. Django desea agradecer a cyberstan por informar de este problema."}], "lastModified": "2025-11-10T18:25:59.883", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FC7EBE0-A60A-4083-9FB7-E4ADCD2B5F37", "versionEndExcluding": "4.2.26", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F3A5471-02DB-428E-815E-516057A901FF", "versionEndExcluding": "5.1.14", "versionStartIncluding": "5.1"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F56E9016-F93A-4DAE-8070-D3A4909F00A4", "versionEndExcluding": "5.2.8", "versionStartIncluding": "5.2"}], "operator": "OR"}]}], "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}