CVE-2025-64459

CVE-2025-64459 is a SQL injection vulnerability affecting Django, a Python web framework. It impacts versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8, specifically in the ORM methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), as well as the Q() class. The flaw arises when a suitably crafted dictionary, expanded via dictionary expansion, is passed as the _connector argument, enabling SQL injection. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is classified under CWE-89.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Exploitation occurs if untrusted input can influence the _connector argument in the affected ORM methods, allowing attackers to inject and execute arbitrary SQL queries. Successful attacks can result in high confidentiality and integrity impacts, such as unauthorized data access, modification, or extraction from the underlying database.

Django's security advisories recommend upgrading to the patched releases: 5.1.14, 4.2.26, or 5.2.8. Details are available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce group at https://groups.google.com/g/django-announce, and the November 5, 2025 weblog post at https://www.djangoproject.com/weblog/2025/nov/05/security-releases/. The vulnerability was reported by cyberstan.