PT-2025-45119 · Django +4 · Django +4

Cyberstan

+2

·

Published

2025-11-05

·

Updated

2026-01-24

·

CVE-2025-64459

CVSS v2.0
9.4
VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Django versions prior to 5.1.14 Django versions prior to 5.2.8 Django versions prior to 4.2.26 Django 6.0 (beta) Versions 5.0.x, 4.1.x, and 3.2.x
Description Django is affected by a SQL injection issue within the 
QuerySet.filter()
, 
QuerySet.exclude()
, 
QuerySet.get()
, and 
Q()
methods. This occurs when using a dictionary with dictionary expansion, specifically when the 
 connector
argument is crafted maliciously. The vulnerability allows for manipulation of query logic, potentially enabling unauthorized access, data exfiltration, and privilege escalation. An attacker can inject parameters like 
 connector
to alter query behavior (e.g., changing AND to OR). The vulnerability is exploitable without authentication. Approximately 80,000 GitHub stars are associated with the affected framework.
Recommendations Update to Django version 5.2.8 or later. Update to Django version 5.1.14 or later. Update to Django version 4.2.26 or later. Audit code for usages of 
QuerySet.filter()
, 
QuerySet.exclude()
, and 
QuerySet.get()
and the 
Q()
class. Never pass 
request.GET.dict()
directly into QuerySet methods. Implement input validation using Django Forms. Implement whitelisting of filter parameters. Explicitly map fields instead of using dictionary expansion. Check logs for the presence of the 
 connector
and 
 negated
parameters in requests.

Exploit

Fix

DoS

SQL injection

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2025-13913
BIT-DJANGO-2025-64459
CVE-2025-64459
DLA-4425-1
GHSA-FRMV-PR5F-9MCR
MGASA-2025-0292
OESA-2025-2676
OESA-2025-2677
OESA-2025-2678
OESA-2025-2679
OESA-2025-2680
USN-7859-1

Affected Products

Debian
Django
Linuxmint
Red Os
Ubuntu