Warning: Critical unauthenticated SQL Injection vulnerability in Django, Patch Immediately!

Image
Decorative image
Published : 07/11/2025

  • Last update: 07/11/2025

  • Affected software:: Django
    → 5.2 before 5.2.8
    → 5.1 before 5.1.14
    → 4.2 before 4.2.26

  • Type: Improper Neutralization of Special Elements used in an SQL Command - 'SQL Injection' (CWE-89)

  • CVE/CVSS
    → CVE-2025-64459: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Sources

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

Risks

The web-application framework Django is widely used to build Python-based web sites, APIs and services. The newly disclosed vulnerability (CVE‑2025‑64459) allows an attacker to perform an SQL injection attack on the database used by this framework.

Because many Django-based apps allow users to supply filter parameters or dynamic queries, this vulnerability is particularly interesting to an attacker: it allows unauthorized access, data modification or privilege escalation. The attack complexity is low (no authentication needed) and the CVSS base score is 9.1 (critical) according to NVD.

The impact on the Confidentiality and Integrity aspects of the CIA triad is high: unauthorized data exposure, modification, deletion or even takeover of database accounts. Availability is less impacted in this case (no direct DoS), but the business impact is substantial: data-breaches, compliance violations, customer trust damage, potential operational downtime during remediation.

Because many organizations rely on Django for production systems, this creates an urgent need to update software and review code paths.

Description

The vulnerability permits SQL injection when applications use dictionary expansion of user-supplied inputs into Django ORM methods (QuerySet.filter(), QuerySet.exclude(), QuerySet.get()) or the Q() class, and an attacker manipulates the _connector keyword argument.

In technical terms:

Developers sometimes allow users to supply filter parameters, for example via **request.GET.dict() expanded into filter() or exclude(). If an attacker includes keys such as _connector='OR' or manipulates logical connectors, they may alter the intended query logic and introduce SQL clauses not anticipated by the developer.

The versions affected are Django 5.1 before 5.1.14, Django 4.2 before 4.2.26, Django 5.2 before 5.2.8, and main/6.0 branch.

Exploitation requires no user privileges (PR:N) and no user interaction (UI:N). The attack vector is network accessible. The base vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Proof-of-concept (PoC) code is not publicly confirmed yet, but multiple security analyses list the risk as “exploitation possible” and low complexity.

Although no reports yet suggest widespread active exploitation, the vulnerability’s nature and the framework’s popularity make it plausible that threat actors will attempt rapid exploitation.

Recommended Actions

Patch

Upgrade to Django version 5.2.8, 5.1.14 or 4.2.26 to mitigate this vulnerability

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

Check for vulnerable code patterns: Review your codebase for use of ** expansion of user-controlled dictionaries into QuerySet methods or Q objects. Specifically audit endpoints that accept filtering parameters from GET/POST and pass them into filter(), exclude() or get() without explicit whitelisting.

In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://docs.djangoproject.com/en/dev/releases/security