BIT-django-2025-57833
SQL injection vulnerability in django (PyPI)
What is BIT-django-2025-57833 About?
This vulnerability is a SQL injection flaw in Django's FilteredRelation feature, specifically when crafted dictionaries are used with QuerySet.annotate() or QuerySet.alias(). It allows attackers to inject malicious SQL into column aliases. Exploitation is moderately complex, requiring specific input formatting to trigger the injection.
Affected Software
- django
- <4.2.24
- >5.0a1, <5.1.12
- >5.2a1, <5.2.6
Technical Details
The vulnerability resides in Django's FilteredRelation when processing column aliases within QuerySet.annotate() or QuerySet.alias(). Attackers can craft a dictionary with malicious SQL payloads. When this dictionary is expanded and passed to these QuerySet methods, the SQL payload is not properly sanitized, leading to its execution within the generated SQL query. This allows for manipulation of database queries or extraction of sensitive information.
What is the Impact of BIT-django-2025-57833?
Successful exploitation may allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion, as well as database compromise and bypass of application security controls.
What is the Exploitability of BIT-django-2025-57833?
Exploitation of this SQL injection vulnerability requires a moderate level of complexity. An attacker needs to understand specific Django QuerySet operations, particularly FilteredRelation, annotate(), and alias(), and how dictionary expansion can be leveraged. No prior authentication is strictly required if the vulnerable QuerySet operations are exposed to unauthenticated input, but typically, some level of application interaction or user input processing is necessary. The attack is likely remote if the application exposes affected functionality via its web interface. Risk factors include applications that dynamically construct database queries based on user-supplied dictionary inputs for column aliases.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Mkway | Link | We've set up an environment to test CVE-2025-57833. This environment was built using AI, so it's subject to ongoing modification. |
| loic-houchi | Link | PoC for CVE-2025-57833 |
| ianoboyle | Link | Example Vulnerable application for CVE-2025–57833 |
What are the Available Fixes for BIT-django-2025-57833?
Available Upgrade Options
- django
- <4.2.24 → Upgrade to 4.2.24
- django
- >5.0a1, <5.1.12 → Upgrade to 5.1.12
- django
- >5.2a1, <5.2.6 → Upgrade to 5.2.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2025/sep/03/security-releases/
- https://osv.dev/vulnerability/GHSA-6w2r-r2m5-xq5w
- https://nvd.nist.gov/vuln/detail/CVE-2025-57833
- https://www.djangoproject.com/weblog/2025/sep/03/security-releases
- https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
- https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
- https://github.com/django/django
- https://groups.google.com/g/django-announce
- https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
- https://groups.google.com/g/django-announce
What are Similar Vulnerabilities to BIT-django-2025-57833?
Similar Vulnerabilities: CVE-2023-46637 , CVE-2023-45814 , CVE-2023-43666 , CVE-2023-38202 , CVE-2023-38035
