CVE-2025-59681

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
mitreCNA
7.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
djangoprojectdjango
4.2 ≤
𝑥
< 4.2.25
djangoprojectdjango
5.1 ≤
𝑥
< 5.1.13
djangoprojectdjango
5.2 ≤
𝑥
< 5.2.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bullseye
vulnerable
bullseye (security)
2:2.2.28-1~deb11u9
fixed
bookworm
vulnerable
bookworm (security)
vulnerable
trixie
vulnerable
forky
3:4.2.26-1
fixed
sid
3:4.2.26-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
plucky
Fixed 3:4.2.18-1ubuntu1.5
released
noble
Fixed 3:4.2.11-1ubuntu1.11
released
jammy
Fixed 2:3.2.12-2ubuntu1.22
released
focal
Fixed 2:2.2.12-1ubuntu0.29+esm4
released
bionic
Fixed 1:1.11.11-1ubuntu1.21+esm12
released
xenial
Fixed 1.8.7-1ubuntu5.15+esm9
released
trusty
Fixed 1.6.11-0ubuntu1.3+esm8
released
Common Weakness Enumeration
References
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/oct/01/security-releases/
http://www.openwall.com/lists/oss-security/2025/10/01/3