MEDIUM 4.3 PyPI
Django is vulnerable to SQL injection in column aliases
GHSA-rqw2-ghq9-44m7 · BIT-django-2025-13372 · CVE-2025-13372 · PYSEC-2025-104
Published · Modified
Description
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-13372
- WEB https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
- WEB https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
- WEB https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
- WEB https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
- WEB https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
- WEB https://docs.djangoproject.com/en/dev/releases/security
- PACKAGE https://github.com/django/django
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-104.yaml
- WEB https://groups.google.com/g/django-announce
- WEB https://www.djangoproject.com/weblog/2025/dec/02/security-releases
Ready to move
Start Securing
Free, no credit card | First findings in minutes