Django is subject to SQL injection through its column aliases

GHSA-6w2r-r2m5-xq5w · BIT-django-2025-57833 · CVE-2025-57833 · PYSEC-2025-105

Published Sep 8, 2025 · Modified Jun 5, 2026

Description

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-57833
WEB https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5
WEB https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
WEB https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
WEB https://docs.djangoproject.com/en/dev/releases/security
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-105.yaml
WEB https://groups.google.com/g/django-announce
WEB https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html
WEB https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
WEB https://www.djangoproject.com/weblog/2025/sep/03/security-releases
WEB http://www.openwall.com/lists/oss-security/2025/09/03/3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes