CVE-2025-64459

Name of the Vulnerable Software and Affected Versions Django versions prior to 5.1.14 Django versions 4.2 through 4.2.26 Django versions prior to 5.2.8 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier

Description A SQL injection issue exists in Django’s

QuerySet.filter()

,

QuerySet.exclude()

, and

QuerySet.get()

methods, as well as the

Q()

class. This is due to insufficient protection of SQL query structure when processing the

 connector

argument. An attacker can inject SQL code by crafting a dictionary with malicious data, potentially bypassing security measures and gaining unauthorized access to data. The

 connector

parameter can be manipulated to alter query logic, such as changing AND to OR, allowing attackers to bypass filters and access unauthorized data. Exploitation does not require authentication. The vulnerability can lead to authentication bypass, data exfiltration, and privilege escalation. The vulnerable code is triggered when dictionary expansion is used with user-supplied input. The

request.GET.dict()

function is a common source of user-controlled data that can be passed to the vulnerable methods.

Recommendations Update to Django version 5.1.14 or later. Update to Django version 4.2.26 or later. Update to Django version 5.2.8 or later. Audit code for usages of

.filter(**)

and similar methods. Avoid passing

request.GET.dict()

directly to

QuerySet

methods. Implement input validation using Django Forms. Implement whitelisting of filter parameters. Explicitly map fields instead of using dictionary expansion. Check logs for the presence of the

 connector

and

 negated

parameters in requests.