SQL Injection Vulnerability in Django Software by Django
CVE-2025-64459

9.1CRITICAL

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
5 November 2025

What is CVE-2025-64459?

An SQL injection vulnerability exists in specific versions of Django prior to 5.1.14, 4.2.26, and 5.2.8. Through the use of specially crafted dictionaries, attackers can exploit the QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() methods, as well as the Q() class, when utilizing dictionary expansion as the _connector argument. Although older versions such as 5.0.x, 4.1.x, and 3.2.x have not been officially evaluated, they may also be susceptible to similar vulnerabilities. Django acknowledges cyberstan for identifying and reporting this critical issue.

Affected Version(s)

Django 5.2 < 5.2.8

Django 5.1 < 5.1.14

Django 4.2 < 4.2.26

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2025/nov/05/security...
vendor-advisory

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

cyberstan
Jacob Walls
Natalia Bidart
JSON
.
CVE-2025-64459 : SQL Injection Vulnerability in Django Software by Django