PT-2025-48697 · Django+4 · Django+4

Jacob Walls

Published

2025-12-02

Updated

2026-01-29

CVE-2025-13372

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.26 Django versions 5.1 through 5.1.14 Django versions 5.2 through 5.2.8 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier

Description An issue exists in Django where FilteredRelation is susceptible to SQL injection in column aliases. This occurs when a crafted dictionary is used with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL. Approximately 1.7 million potentially affected devices have been identified. The issue involves the use of the QuerySet.annotate() and QuerySet.alias() functions, which can be exploited through manipulated column aliases. The vulnerable component is FilteredRelation.

Recommendations Update to Django version 5.2.9 or later. Update to Django version 5.1.15 or later. Update to Django version 4.2.27 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2026-02956

BIT-DJANGO-2025-13372

CVE-2025-13372

ECHO-91C5-85B0-1E52

GHSA-RQW2-GHQ9-44M7

MGASA-2025-0320

OPENSUSE-SU-2025:15805-1

OPENSUSE-SU-2025:15806-1

OPENSUSE-SU-2025:20153-1

OPENSUSE-SU-2026:10005-1

PYSEC-2025-104

SUSE-SU-2025:4384-1

USN-7903-1

Affected Products

Debian

Django

Linuxmint

Red Os

Ubuntu

PT-2025-48697 · Django+4 · Django+4

CVE-2025-13372

Weakness Enumeration

Related Identifiers

Affected Products

References · 123