SQL Injection Vulnerability in Django Software by Django
CVE-2025-64459
Key Information:
- Vendor
Djangoproject
- Status
- Vendor
- CVE Published:
- 5 November 2025
Badges
What is CVE-2025-64459?
CVE-2025-64459 is a vulnerability found in specific versions of the Django web framework, which is widely used for building web applications in Python. This issue relates to SQL injection, a serious security flaw that allows an attacker to manipulate database queries by injecting arbitrary SQL code. The vulnerability arises from the manipulation of certain methods, specifically QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), along with the class Q() when improperly handling a crafted dictionary. If exploited, this flaw can lead to unauthorized access to the database, allowing attackers to extract sensitive information or manipulate data, posing significant risks to any organization relying on Django for their web applications.
The specific versions affected are Django 5.1 prior to 5.1.14, 4.2 prior to 4.2.26, and 5.2 prior to 5.2.8. Previous unsupported versions such as 5.0.x, 4.1.x, and 3.2.x may also be vulnerable, raising further concerns for legacy applications. Given Django's prominence in web development, this vulnerability underscores the need for timely updates and security patches.
Potential impact of CVE-2025-64459
-
Unauthorized Data Access: If exploited, this vulnerability can allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive data stored in the database, such as user credentials, personal information, and confidential business records.
-
Data Manipulation: Beyond accessing data, SQL injection vulnerabilities can enable attackers to modify or delete database records. This can disrupt operations, lead to loss of integrity within the database, and result in severe consequences for businesses that depend on accurate data.
-
Reputation Damage: A successful exploitation of this vulnerability can lead to significant reputational damage for an organization. Breaches involving sensitive data often garner media attention, which can undermine customer trust and affect business relationships.
Affected Version(s)
Django 5.2 < 5.2.8
Django 5.1 < 5.1.14
Django 4.2 < 4.2.26
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Multiple Django Vulnerabilities Enable SQL injection and DoS Attack
Django, one of the most popular Python web development frameworks, has disclosed two critical security vulnerabilities that could allow attackers to execute SQL injection attacks and launch denial-of-service attacks.
3 weeks ago
CyberSecurityNewsMultiple Django Vulnerabilities Enable SQL injection and DoS Attack
Django, one of the most popular Python web development frameworks, has disclosed two critical security vulnerabilities that could allow attackers to execute SQL injection attacks and launch denial-of-service attacks.
3 weeks ago
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π
Vulnerability started trending
- π°
First article discovered by CyberSecurityNews
Vulnerability published
Vulnerability Reserved