SQL Injection Vulnerability in Django's FilteredRelation Affects Multiple Versions

CVE-2025-13372

What is CVE-2025-13372?

CVE-2025-13372 is a vulnerability found in Django, a widely-used web framework for building scalable and secure web applications. Specifically, this issue affects several versions of Django, particularly before 5.2.9, 5.1.15, and 4.2.27. The vulnerability is characterized by an SQL injection flaw in the FilteredRelation component, which can be exploited through crafted input that leverages dictionary expansion linked to the **kwargs parameter in the QuerySet.annotate() or QuerySet.alias() methods when interfacing with PostgreSQL databases. If successfully exploited, this vulnerability could allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access and manipulation. Organizations relying on vulnerable versions of Django could face severe consequences, including data integrity issues and compliance breaches.

Potential impact of CVE-2025-13372

1. Unauthorized Data Access: The SQL injection vulnerability can lead to unauthorized access to sensitive data stored in databases, putting customer information, financial records, and personal data at risk.

2. Data Manipulation Risks: Attackers exploiting this vulnerability can modify, delete, or corrupt database entries, causing significant disruptions to business operations and potentially resulting in data loss.

3. Compliance Violations: Organizations that fail to address this vulnerability may violate data protection regulations, such as GDPR or HIPAA, leading to legal repercussions, fines, and damage to reputation.

References