CVE-2025-59681

EUVD-2025-32691
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
mitreCNA
7.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
djangoprojectdjango
4.2 ≤
𝑥
< 4.2.25
djangoprojectdjango
5.1 ≤
𝑥
< 5.1.13
djangoprojectdjango
5.2 ≤
𝑥
< 5.2.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bookworm
vulnerable
bookworm (security)
3:3.2.25-0+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
2:2.2.28-1~deb11u12
fixed
forky
3:4.2.28-1
fixed
sid
3:4.2.28-1
fixed
trixie
vulnerable
trixie (security)
3:4.2.27-0+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
bionic
Fixed 1:1.11.11-1ubuntu1.21+esm12
released
focal
Fixed 2:2.2.12-1ubuntu0.29+esm4
released
jammy
Fixed 2:3.2.12-2ubuntu1.22
released
noble
Fixed 3:4.2.11-1ubuntu1.11
released
plucky
Fixed 3:4.2.18-1ubuntu1.5
released
questing
Fixed 3:5.2.4-1ubuntu2
released
trusty
Fixed 1.6.11-0ubuntu1.3+esm8
released
xenial
Fixed 1.8.7-1ubuntu5.15+esm9
released
Common Weakness Enumeration
References
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/oct/01/security-releases/
http://www.openwall.com/lists/oss-security/2025/10/01/3