CVE-2025-64459

Name of the Vulnerable Software and Affected Versions Django versions prior to 5.1.14, prior to 4.2.26, and prior to 5.2.8

Description Django is susceptible to a SQL injection issue due to improper handling of dictionary expansion when using the QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() methods, as well as the Q() class. An attacker can inject malicious SQL code by crafting a dictionary with a specifically designed connector argument. This allows for potential database manipulation, including bypassing authentication, data exfiltration, and privilege escalation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected. The vulnerability arises when user-controlled input is directly passed to these methods via dictionary expansion. The connector parameter can be manipulated to alter query logic, for example, changing 'AND' to 'OR'.

Recommendations Update to Django versions 5.2.8, 5.1.14, or 4.2.26. Audit code for usages of QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() with dictionary expansion. Never pass request.GET.dict() directly to QuerySet methods. Implement input validation using Django Forms. Implement whitelisting of filter parameters. Explicitly map fields instead of using dictionary expansion. Monitor logs for usage of the connector and negated parameters.