BIT-django-2025-59681
SQL injection vulnerability in django (PyPI)
What is BIT-django-2025-59681 About?
This vulnerability is a SQL injection flaw found in Django's QuerySet methods when handling specially crafted dictionary expansions in column aliases on MySQL and MariaDB. It allows attackers to inject malicious SQL queries, potentially leading to unauthorized data access, modification, or deletion. Exploitation requires specific conditions related to crafted input and database usage, making it moderately complex.
Affected Software
- django
- >5.1, <5.1.13
- >4.2, <4.2.25
- >5.2, <5.2.7
Technical Details
The vulnerability resides in Django's QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods. When these methods use a suitably crafted dictionary with dictionary expansion as the **kwargs argument, an attacker can inject malicious SQL into column aliases. This flaw specifically affects MySQL and MariaDB database backends due to how they interpret and execute SQL queries involving aliased columns. By manipulating the dictionary passed to these methods, an attacker can control parts of the generated SQL, leading to SQL injection.
What is the Impact of BIT-django-2025-59681?
Successful exploitation may allow attackers to execute arbitrary SQL commands against the database, leading to unauthorized access, manipulation, or deletion of sensitive data. It could also result in bypassing security controls, escalating privileges, or causing a denial of service to the database.
What is the Exploitability of BIT-django-2025-59681?
Exploitation of this vulnerability is considered of moderate complexity. It requires an attacker to provide specially crafted input to Django applications utilizing the affected QuerySet methods (annotate, alias, aggregate, extra) with dictionary expansion for column aliases. The vulnerability manifests when the application interacts with MySQL or MariaDB databases. Authentication requirements would depend on whether the vulnerable functionality can be reached by unauthenticated users, but typically, some level of application interaction or data submission would be needed. Privilege requirements are at the level of the application's database user. The exploitation could be remote if the application exposes an interface allowing an attacker to submit the malicious input, or local if it requires local file access or direct interaction with the Django shell. The primary risk factor is the application's direct use of dictionary expansion with user-controlled input in the specified QuerySet methods.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2025-59681?
Available Upgrade Options
- django
- >4.2, <4.2.25 → Upgrade to 4.2.25
- django
- >5.1, <5.1.13 → Upgrade to 5.1.13
- django
- >5.2, <5.2.7 → Upgrade to 5.2.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e
- https://nvd.nist.gov/vuln/detail/CVE-2025-59681
- https://groups.google.com/g/django-announce
- https://github.com/django/django
- https://docs.djangoproject.com/en/dev/releases/security
- https://www.djangoproject.com/weblog/2025/oct/01/security-releases/
- https://groups.google.com/g/django-announce
- https://github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a
- https://docs.djangoproject.com/en/dev/releases/security/
- https://osv.dev/vulnerability/GHSA-hpr9-3m2g-3j9p
What are Similar Vulnerabilities to BIT-django-2025-59681?
Similar Vulnerabilities: CVE-2023-43306 , CVE-2023-43655 , CVE-2023-46639 , CVE-2023-46603 , CVE-2023-46605
