CVE-2025-59681
published 2025-10-01CVE-2025-59681: An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.58%
43.5th percentile
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.25 | 4.2.25 |
| djangoproject | django | >= 4.2 < 4.2.25 | 4.2.25 |
| djangoproject | django | >= 5.1 < 5.1.13 | 5.1.13 |
| djangoproject | django | >= 5.1 < 5.1.13 | 5.1.13 |
| djangoproject | django | >= 5.2 < 5.2.7 | 5.2.7 |
| djangoproject | django | >= 5.2 < 5.2.7 | 5.2.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.1HIGH
vendor_redhat7.1HIGH
vendor_ubuntu7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-59681: An issue was discovered in Django 4
osv·2025-10-01·CVSS 9.8
CVE-2025-59681 [CRITICAL] CVE-2025-59681: An issue was discovered in Django 4
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
OSV
Django vulnerable to SQL injection in column aliases
osv·2025-10-01
CVE-2025-59681 [HIGH] Django vulnerable to SQL injection in column aliases
Django vulnerable to SQL injection in column aliases
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
OSV
python-django vulnerabilities
osv·2025-10-01·CVSS 9.8
CVE-2025-59681 [CRITICAL] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled special characters in the
QuerySet function calls. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2025-59681)
It was discovered that Django incorrectly handled files with the same path
prefix when starting with a template. An attacker could possibly use this
issue to obtain sensitive information. (CVE-2025-59682)
GHSA
Django vulnerable to SQL injection in column aliases
ghsa·2025-10-01
CVE-2025-59681 [HIGH] CWE-89 Django vulnerable to SQL injection in column aliases
Django vulnerable to SQL injection in column aliases
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Red Hat
django: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB1
vendor_redhat·2025-10-01·CVSS 7.1
CVE-2025-59681 [HIGH] CWE-89 django: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB1
django: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB1
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
A flaw was found in Django. A couple of QuerySet methods are subject to SQL injection in column aliases, using a suitably crafted dictionary.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment,
Ubuntu
Django vulnerabilities
vendor_ubuntu·2025-10-01·CVSS 7.1
CVE-2025-59681 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled special characters in the
QuerySet function calls. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2025-59681)
It was discovered that Django incorrectly handled files with the same path
prefix when starting with a template. An attacker could possibly use this
issue to obtain sensitive information. (CVE-2025-59682)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-59681: python-django - An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 ...
vendor_debian·2025·CVSS 7.1
CVE-2025-59681 [HIGH] CVE-2025-59681: python-django - An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 ...
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u9)
forky: resolved (fixed in 3:4.2.25-1)
sid: resolved (fixed in 3:4.2.25-1)
trixie: resolved (fixed in 3:4.2.27-0+deb13u1)
No detection rules found.
No public exploits indexed.
HackerOne
Potential SQL Injection when annotating FilteredRelation on PostgreSQL
hackerone·2025-12-02·CVSS 8.1
CVE-2025-57833 [HIGH] Potential SQL Injection when annotating FilteredRelation on PostgreSQL
Potential SQL Injection when annotating FilteredRelation on PostgreSQL
Hi Django security team !
This vulnerability is related to [CVE 2025-57833](https://docs.djangoproject.com/en/dev/releases/security/#september-3-2025-cve-2025-57833) and [CVE 2025-59681](https://docs.djangoproject.com/en/dev/releases/security/#october-1-2025-cve-2025-59681) as it results from an incomplete Regex filter in the [FORBIDDEN_ALIAS_PATTERN](https://github.com/django/django/blob/4ceaaee7e04b416fc465e838a6ef43ca0ccffafe/django/db/models/sql/query.py#L60).
On PostgreSQL, the `$` symbol can be used to replace quotes and build raw string between tags like this : `$$something$$` or `$tag$something$tag$`. This can be abused to make part of the query interpreted as a raw string instead of the actual query to execu
Bugzilla
CVE-2025-59681 python-django3: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB1 [epel-all]
bugzilla·2025-11-20·CVSS 9.8
CVE-2025-59681 [CRITICAL] CVE-2025-59681 python-django3: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB1 [epel-all]
CVE-2025-59681 python-django3: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB1 [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
Reassigning from `epel10` to `epel9`: Bug filed against a branch the package never shipped on. The `epel9` branch is retired (the `dead.packa
2025-10-01
Published