Login Sign Up

CVE-2024-53908

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows SQL injection attacks in Django applications when using the django.db.models.fields.json.HasKey lookup directly with untrusted data on Oracle databases. It affects Django applications running on Oracle database backends with specific vulnerable versions. Applications using the jsonfield.has_key lookup via __ (double underscore) are not affected.

💻 Affected Systems

Products:
  • Django
Versions: Django 5.1 before 5.1.4, Django 5.0 before 5.0.10, Django 4.2 before 4.2.17
Operating Systems: All operating systems running Django
Default Config Vulnerable: ✅ No
Notes: Only affects Django applications using Oracle database backend with direct HasKey lookup usage (not via __). Requires untrusted data as lhs value.

📦 What is this software?

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise allowing data theft, modification, or deletion, and potential remote code execution depending on database configuration.

🟠

Likely Case

Data exfiltration, unauthorized data access, or database manipulation through SQL injection.

🟢

If Mitigated

Limited impact if input validation and parameterized queries are used elsewhere, but this specific vector remains vulnerable.

🌐 Internet-Facing: HIGH - Web applications accepting user input that reaches this lookup are directly exploitable.
🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires specific conditions (Oracle DB, direct HasKey usage with untrusted input) but is straightforward when those conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 5.1.4, Django 5.0.10, Django 4.2.17

Vendor Advisory: https://docs.djangoproject.com/en/dev/releases/security/

Restart Required: Yes

Instructions:

1. Upgrade Django to patched version: pip install Django==5.1.4 (or appropriate version). 2. Restart your Django application server. 3. Test application functionality.

🔧 Temporary Workarounds

Avoid direct HasKey usage

all

Replace direct django.db.models.fields.json.HasKey lookups with jsonfield.has_key lookups using __ syntax

Input validation

all

Implement strict input validation and sanitization for any data used in HasKey lookups

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all data that could reach HasKey lookups
  • Use jsonfield.has_key lookups with __ syntax instead of direct HasKey usage

🔍 How to Verify

Check if Vulnerable:

Check Django version and codebase for direct usage of django.db.models.fields.json.HasKey with untrusted data on Oracle DB

Check Version:

python -m django --version

Verify Fix Applied:

Verify Django version is 5.1.4, 5.0.10, or 4.2.17 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries from Django application, especially with JSON operations
  • Database error logs showing malformed SQL

Network Indicators:

  • Unusual database traffic patterns from application servers

SIEM Query:

source="django.logs" AND ("HasKey" OR "json lookup" OR "SQL error")

📊 Metadata

CVE ID: CVE-2024-53908
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 6, 2024
Last Updated: June 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53908, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)