PT-2025-45119 · Django+4 · Django+4

Cyberstan

+2

·

Published

2025-11-05

·

Updated

2026-03-10

·

CVE-2025-64459

CVSS v2.0
9.4
VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Django versions prior to 5.1.14, prior to 4.2.26, and prior to 5.2.8
Description Django is susceptible to a SQL injection issue due to improper handling of dictionary expansion when using the 
QuerySet.filter()
, 
QuerySet.exclude()
, and 
QuerySet.get()
methods, as well as the 
Q()
class. An attacker can inject malicious SQL code by crafting a dictionary with a specifically designed 
 connector
argument. This allows for potential database manipulation, including bypassing authentication, data exfiltration, and privilege escalation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected. The vulnerability arises when user-controlled input is directly passed to these methods via dictionary expansion. The 
 connector
parameter can be manipulated to alter query logic, for example, changing 'AND' to 'OR'.
Recommendations Update to Django versions 5.2.8, 5.1.14, or 4.2.26. Audit code for usages of 
QuerySet.filter()
, 
QuerySet.exclude()
, and 
QuerySet.get()
with dictionary expansion. Never pass 
request.GET.dict()
directly to QuerySet methods. Implement input validation using Django Forms. Implement whitelisting of filter parameters. Explicitly map fields instead of using dictionary expansion. Monitor logs for usage of the 
 connector
and 
 negated
parameters.

Exploit

Fix

DoS

SQL injection

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2025-13913
BIT-DJANGO-2025-64459
CVE-2025-64459
DLA-4425-1
ECHO-1DC5-AF13-00C1
GHSA-FRMV-PR5F-9MCR
MGASA-2025-0292
OESA-2025-2676
OESA-2025-2677
OESA-2025-2678
OESA-2025-2679
OESA-2025-2680
OESA-2026-1206
RHSA-2025:23069
RHSA-2025:23070
USN-7859-1

Affected Products

Debian
Django
Linuxmint
Red Os
Ubuntu