CVE-2025-64459
SQL Injection vulnerability in django (PyPI)
What is CVE-2025-64459 About?
This SQL Injection vulnerability in Django affects `QuerySet.filter()`, `QuerySet.exclude()`, `QuerySet.get()`, and `Q()` in versions before 5.1.14, 4.2.26, and 5.2.8. It allows attackers to inject arbitrary SQL commands using a specially crafted dictionary with dictionary expansion in the `_connector` argument. This can lead to unauthorized data access, modification, or deletion. Exploitation is remote and requires specific input formatting.
Affected Software
- django
- >5.0a1, <5.1.14
- <4.2.26
- >5.2a1, <5.2.8
Technical Details
The vulnerability exists in Django's ORM methods QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), and the Q() class. The flaw specifically arises when these methods process a suitably crafted dictionary, utilizing dictionary expansion, as the _connector argument. An attacker can inject malicious SQL code through this parameter. The _connector argument is intended for logical operations (AND/OR), but improper sanitization or handling of dictionary values that undergo expansion allows for the insertion of arbitrary SQL clauses, leading to classic SQL injection where the attacker controls the executed database queries.
What is the Impact of CVE-2025-64459?
Successful exploitation may allow attackers to execute arbitrary SQL commands, leading to unauthorized access, modification, or deletion of database contents, and potentially leading to full compromise of the database and associated systems.
What is the Exploitability of CVE-2025-64459?
Exploitation complexity is moderate, requiring specific knowledge of Django's ORM and how dictionary expansion is handled internally. Authentication might be required if the vulnerable functionality is only accessible to authenticated users; otherwise, it can be unauthenticated remote exploitation. Attackers need to craft a precise dictionary payload within the _connector argument to inject SQL. The primary prerequisite is for a Django application to expose functionality that utilizes the affected QuerySet methods or Q() class with user-controlled input for dictionary arguments. The presence of such an input vector increases the likelihood of a successful attack.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-64459?
About the Fix from Resolved Security
Available Upgrade Options
- django
- <4.2.26 → Upgrade to 4.2.26
- django
- >5.0a1, <5.1.14 → Upgrade to 5.1.14
- django
- >5.2a1, <5.2.8 → Upgrade to 5.2.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2025/nov/05/security-releases
- https://docs.djangoproject.com/en/dev/releases/security
- https://nvd.nist.gov/vuln/detail/CVE-2025-64459
- https://www.djangoproject.com/weblog/2025/nov/05/security-releases/
- https://groups.google.com/g/django-announce
- https://osv.dev/vulnerability/GHSA-frmv-pr5f-9mcr
- https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b
- https://groups.google.com/g/django-announce
- https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4
- https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
What are Similar Vulnerabilities to CVE-2025-64459?
Similar Vulnerabilities: CVE-2023-28362 , CVE-2023-3882 , CVE-2021-41183 , CVE-2022-31197 , CVE-2020-13791
