CVE-2024-42005

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.14 Django versions 5.0 through 5.0.7

Description The issue is related to SQL injection in the QuerySet.values() and values list() methods on models with a JSONField. This vulnerability can be exploited by passing a crafted JSON object key as an argument, allowing an attacker to execute arbitrary SQL queries. The estimated number of potentially affected devices worldwide is over 5.4 million services.

Recommendations For Django versions 4.2 through 4.2.14, upgrade to Django 4.2.15. For Django versions 5.0 through 5.0.7, upgrade to Django 5.0.8. As a temporary workaround, consider restricting the use of the QuerySet.values() and values list() methods on models with a JSONField until a patch is available.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2024-15283

ALT-PU-2025-10176

BDU:2024-06269

BIT-DJANGO-2024-42005

CVE-2024-42005

GHSA-PV4P-CWWG-4RPH

MGASA-2025-0039

OESA-2024-2002

OESA-2024-2003

OESA-2024-2004

OESA-2024-2036

OESA-2024-2280

OPENSUSE-SU-2024:0272-1

OPENSUSE-SU-2024:14247-1

OPENSUSE-SU-2024:14248-1

OPENSUSE-SU-2026:10005-1

PYSEC-2024-70

RHSA-2024:6428

RHSA-2024:8906

RHSA-2025:1335

SUSE-SU-2024:2816-1

SUSE-SU-2024:2817-1

USN-6946-1

Affected Products

Alt Linux

Astra Linux

Debian

Django

Linuxmint

Ubuntu

CVE-2024-42005

Weakness Enumeration

Related Identifiers

Affected Products

References · 163