AIKIDO-2025-10624
django is vulnerable to SQL Injection
71
High Risk
This Affects:
djangoTL;DR
Affected versions of this package are vulnerable to SQL injection in the FilteredRelation class when handling specially crafted dictionaries expanded as **kwargs in QuerySet.annotate or QuerySet.alias. An attacker could exploit this by supplying malicious input that is directly incorporated into SQL queries, allowing arbitrary SQL command execution.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
django is vulnerable to SQL Injection in versions 4.2.0 - 4.2.23, 5.1.0 - 5.1.11 and 5.2.0 - 5.2.5.
How to fix this
Upgrade the django library to the patch version.
Links
docs.djangoproject.com/en/dev/releases/security/#september-3-2025-cve-2025-57833docs.djangoproject.com/en/dev/releases/security/groups.google.com/g/django-announcemedium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898djangoproject.com/weblog/2025/sep/03/security-releases/openwall.com/lists/oss-security/2025/09/03/3lists.debian.org/debian-lts-announce/2025/09/msg00017.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant