CVE-2025-59681

CWE-89 — SQL Injection10 documents8 sources

Severity

9.8CRITICAL

EPSS

0.0%

top 98.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedOct 1

Latest updateDec 2

Description

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:NExploitability: 1.8 | Impact: 4.7

Affected Packages6 packages

▶PyPIDjango4.2 — 4.2.25+2

▶PyPIdjango4.2 — 4.2.25+2

▶CVEListV5djangoproject/django4.2 — 4.2.25+2

▶NVDdjangoproject/django4.2 — 4.2.25+2

▶Debianpython-django< 2:2.2.28-1~deb11u9+3

🔴Vulnerability Details

OSV

CVE-2025-59681: An issue was discovered in Django 4↗2025-10-01

▶

OSV

Django vulnerable to SQL injection in column aliases↗2025-10-01

▶

OSV

python-django vulnerabilities↗2025-10-01

▶

GHSA

Django vulnerable to SQL injection in column aliases↗2025-10-01

▶

CVEList

CVE-2025-59681: An issue was discovered in Django 4↗2025-10-01

▶

📋Vendor Advisories

Red Hat

django: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB1↗2025-10-01

▶

Ubuntu

Django vulnerabilities↗2025-10-01

▶

Debian

CVE-2025-59681: python-django - An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 ...↗2025

▶

💬Community

HackerOne

Potential SQL Injection when annotating FilteredRelation on PostgreSQL↗2025-12-02

▶