CVE-2025-13372
SQL Injection vulnerability in django (PyPI)
What is CVE-2025-13372 About?
This vulnerability is an SQL injection flaw in Django's `FilteredRelation` component, specifically within column aliases. An attacker can execute arbitrary SQL commands by crafting a special dictionary passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. This vulnerability has a high impact due to potential data compromise and is relatively easy to exploit with precise knowledge of the affected functions.
Affected Software
- django
- >=5.2a1, <5.2.9
- >=5.1a1, <5.1.15
- >=4.2a1, <4.2.27
Technical Details
The vulnerability affects Django applications using PostgreSQL with FilteredRelation. The flaw lies in how column aliases are generated within FilteredRelation when **kwargs are passed to QuerySet.annotate() or QuerySet.alias(). An attacker can construct a dictionary with specific keys and values that, when expanded and used in the SQL query generation for column aliases, bypasses proper sanitization. This allows malicious SQL fragments to be injected directly into the alias definition, leading to arbitrary SQL command execution in the context of the database user account.
What is the Impact of CVE-2025-13372?
Successful exploitation may allow attackers to read, modify, or delete data in the database, execute arbitrary database commands, and potentially gain further access to the underlying system.
What is the Exploitability of CVE-2025-13372?
Exploitation of this SQL Injection vulnerability is moderately complex, requiring a specific understanding of Django's QuerySet API and PostgreSQL's SQL syntax. Authentication might be required to interact with an application endpoint that uses the vulnerable annotate() or alias() methods. Privilege requirements depend on the context of the vulnerable query execution, but typically the database user's privileges are inherited. Access can be remote if the attacker can trigger the vulnerable code path via a web application interface. A special condition is the use of FilteredRelation with dictionary expansion in **kwargs on PostgreSQL. The risk factors are significantly increased if user-supplied input is directly or indirectly used to construct the dictionary passed to these QuerySet methods.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Ashwesker | Link | CVE-2025-13372 |
What are the Available Fixes for CVE-2025-13372?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >=4.2a1, <4.2.27 → Upgrade to 4.2.27
- django
- >=5.1a1, <5.1.15 → Upgrade to 5.1.15
- django
- >=5.2a1, <5.2.9 → Upgrade to 5.2.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://docs.djangoproject.com/en/dev/releases/security/
- https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
- https://github.com/django/django
- https://www.djangoproject.com/weblog/2025/dec/02/security-releases
- https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
- https://osv.dev/vulnerability/GHSA-rqw2-ghq9-44m7
- https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
- https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
- https://groups.google.com/g/django-announce
- https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
What are Similar Vulnerabilities to CVE-2025-13372?
Similar Vulnerabilities: CVE-2023-30547 , CVE-2022-44645 , CVE-2022-31189 , CVE-2021-45459 , CVE-2021-39589
