CVE-2025-57833 — SQL Injection in Django

CWE-89 — SQL Injection9 documents8 sources

Severity

8.1HIGHNVD

CNA7.1

EPSS

0.0%

top 94.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedSep 3

Latest updateDec 2

Description

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5djangoproject/django4.2 — 4.2.24+2

▶NVDdjangoproject/django4.2 — 4.2.24+2

▶PyPIdjangoproject/django5.0a1 — 5.1.12+2

🔴Vulnerability Details

GHSA

Django is subject to SQL injection through its column aliases↗2025-09-08

▶

OSV

Django is subject to SQL injection through its column aliases↗2025-09-08

▶

OSV

CVE-2025-57833: An issue was discovered in Django 4↗2025-09-03

▶

CVEList

CVE-2025-57833: An issue was discovered in Django 4↗2025-09-03

▶

📋Vendor Advisories

Red Hat

django: Django SQL injection in FilteredRelation column aliases↗2025-09-03

▶

Ubuntu

Django vulnerability↗2025-09-03

▶

Debian

CVE-2025-57833: python-django - An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 ...↗2025

▶

💬Community

HackerOne

Potential SQL Injection when annotating FilteredRelation on PostgreSQL↗2025-12-02

▶