Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Critical unauthenticated SQL and DOS Injection vulnerability in Django, Patch Immediately!
Image
Gepubliceerd : 07/11/2025
Last update: 10/11/2025
Affected software:: Django
→ 5.2 before 5.2.8
→ 5.1 before 5.1.14
→ 4.2 before 4.2.26Type:
→ Improper Neutralization of Special Elements used in an SQL Command - 'SQL Injection' (CWE-89),
→ Inefficient Algorithmic Complexity (CWE-407)CVE/CVSS
→ CVE-2025-64459: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
→ CVE-2025-64458: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Sources
https://www.djangoproject.com/weblog/2025/nov/05/security-releases/
Risks
The web application framework Django is widely used to build Python-based websites, APIs, and services. The newly disclosed vulnerability (CVE-2025-64459) enables an attacker to execute an SQL injection attack against the database used by this framework.
Because many Django-based apps allow users to supply filter parameters or dynamic queries, this vulnerability is particularly interesting to an attacker, as it enables unauthorised access, data modification, or privilege escalation. The attack complexity is low (no authentication is needed), and the CVSS base score is 9.1 (critical), according to the NVD.
The impact on the Confidentiality and Integrity aspects of the CIA triad is high, including unauthorised data exposure, modification, deletion, or even takeover of database accounts. Availability is less impacted in this case (no direct DoS), but the business impact is substantial: data breaches, compliance violations, damage to customer trust, and potential operational downtime during remediation.
Additionally, vulnerability CVE-2025-64458 poses a risk of a potential denial-of-service (DoS) attack with a high impact on availability.
Since many organisations rely on Django for their production systems, this creates an urgent need to update software and review code paths.
Description
The vulnerability permits SQL injection when applications use dictionary expansion of user-supplied inputs into Django ORM methods (QuerySet.filter(), QuerySet.exclude(), QuerySet.get()) or the Q() class, and an attacker manipulates the _connector keyword argument.
In technical terms:
Developers sometimes allow users to supply filter parameters, for example via **request.GET.dict() expanded into filter() or exclude(). If an attacker includes keys such as _connector='OR' or manipulates logical connectors, they may alter the intended query logic and introduce SQL clauses not anticipated by the developer.
The versions affected are Django 5.1 before 5.1.14, Django 4.2 before 4.2.26, Django 5.2 before 5.2.8, and main/6.0 branch.
Exploitation requires no user privileges (PR:N) and no user interaction (UI:N). The attack vector is network accessible. The base vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
Proof-of-concept (PoC) code is not publicly confirmed yet, but multiple security analyses list the risk as “exploitation possible” and low complexity.
Although no reports yet suggest widespread active exploitation, the vulnerability’s nature and the framework’s popularity make it plausible that threat actors will attempt rapid exploitation.
CVE-2025-64458 presents a possible DoS attack because NFKC normalization in Python is slow on Microsoft Windows operating systems. HttpResponseRedirect, HttpResponsePermanentRedirect, and redirect could result in a denial-of-service attack through specific inputs containing a very large number of Unicode characters.
Recommended Actions
Patch
Upgrade to Django version 5.2.8, 5.1.14 or 4.2.26 to mitigate this vulnerability
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
Check for vulnerable code patterns: Review your codebase for use of ** expansion of user-controlled dictionaries into QuerySet methods or Q objects. Specifically audit endpoints that accept filtering parameters from GET/POST and pass them into filter(), exclude() or get() without explicit whitelisting.
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://nvd.nist.gov/vuln/detail/CVE-2025-64458
https://docs.djangoproject.com/en/dev/releases/security