HIGH 7.1 PyPI
Django vulnerable to SQL injection in column aliases
GHSA-hpr9-3m2g-3j9p · BIT-django-2025-59681 · CVE-2025-59681 · PYSEC-2025-106
Published · Modified
Description
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-59681
- WEB https://github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a
- WEB https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e
- WEB https://docs.djangoproject.com/en/dev/releases/security
- PACKAGE https://github.com/django/django
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-106.yaml
- WEB https://groups.google.com/g/django-announce
- WEB https://www.djangoproject.com/weblog/2025/oct/01/security-releases
- WEB http://www.openwall.com/lists/oss-security/2025/10/01/3
Ready to move
Start Securing
Free, no credit card | First findings in minutes