cbcvebase.
CVE-2025-57833
published 2025-09-03

CVE-2025-57833: An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases…

PriorityP265high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
15.60%
96.4th percentile
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:3.2.25-0+deb12u1 (bookworm)python-django 3:3.2.25-0+deb12u1 (bookworm)
djangoprojectdjango>= 0 < 4.2.244.2.24
djangoprojectdjango>= 4.2 < 4.2.244.2.24
djangoprojectdjango>= 5.0a1 < 5.1.125.1.12
djangoprojectdjango>= 5.1 < 5.1.125.1.12
djangoprojectdjango>= 5.2 < 5.2.65.2.6
djangoprojectdjango>= 5.2a1 < 5.2.65.2.6

Detection & IOCsextracted from sources · hover to see the quote

command$a$,$b$,$c$,(1)from(select(1)id,(pg_read_file($$/etc/passwd$$))title,(3)author_id,(4)editor_id,(5)number_editor,(6)editor_number,(7)state)filtered_relation_book,(select(1),1
pathdjango/db/models/sql/query.py
  • Look for SQL queries containing PostgreSQL dollar-quoting syntax (e.g., $tag$...$tag$) appearing in Django ORM-generated SQL, particularly within JOIN alias positions or column alias positions, which indicates exploitation of FilteredRelation SQL injection.
  • Monitor Django application logs for SQL queries where user-controlled input appears as column aliases in QuerySet.annotate() or QuerySet.alias() calls, especially containing special characters like `$`, commas, or subquery syntax.
  • The vulnerability stems from an incomplete FORBIDDEN_ALIAS_PATTERN regex in django/db/models/sql/query.py (line 60) that does not block the `$` character; patched versions add `$` to the forbidden pattern.
  • ·This SQL injection via FilteredRelation column aliases is only exploitable when user-controlled input is passed (via dictionary expansion **kwargs) directly to QuerySet.annotate() or QuerySet.alias() — applications that do not pass untrusted data as annotation/alias keyword argument names are not affected.
  • ·Affected Django versions are 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6; deployments on these versions with PostgreSQL are at heightened risk due to dollar-quoting bypass.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH
vendor_debian7.1HIGH
vendor_redhat7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.