CVE-2025-64459 – This SQL injection vulnerability in Django allo... (How to Fix)

Q: What is the severity of CVE-2025-64459?

CVE-2025-64459 has a CVSS score of 9.1 (CRITICAL). This SQL injection vulnerability in Django allows attackers to execute arbitrary SQL commands by passing specially crafted dictionary arguments to QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), or Q() methods. It affects Django versions 5.1 before 5.1.14, 4.2 before 4.2.26, 5.2 before 5.2.8, and potentially earlier unsupported series. Any Django application using these query methods with dictionary expansion is vulnerable.

📋 TL;DR

This SQL injection vulnerability in Django allows attackers to execute arbitrary SQL commands by passing specially crafted dictionary arguments to QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), or Q() methods. It affects Django versions 5.1 before 5.1.14, 4.2 before 4.2.26, 5.2 before 5.2.8, and potentially earlier unsupported series. Any Django application using these query methods with dictionary expansion is vulnerable.

💻 Affected Systems

Products:

Django

Versions: 5.1 before 5.1.14, 4.2 before 4.2.26, 5.2 before 5.2.8, potentially earlier unsupported series (5.0.x, 4.1.x, 3.2.x)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires use of QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), or Q() methods with dictionary expansion as _connector argument.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration, data corruption, authentication bypass, and unauthorized access to sensitive information.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH - Web applications are directly exposed to attack vectors through user inputs.

🏢 Internal Only: MEDIUM - Internal applications still vulnerable but attack surface reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Technical details and proof-of-concept available in public disclosure. Exploitation requires attacker to control dictionary input to vulnerable methods.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 5.1.14, 4.2.26, 5.2.8

Vendor Advisory: https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

Restart Required: Yes

Instructions:

1. Backup your Django project and database. 2. Update Django using pip: 'pip install Django==5.1.14' (or appropriate version). 3. Test your application thoroughly. 4. Restart your web server/application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for all dictionary parameters passed to QuerySet methods

Database User Privilege Reduction

all

Limit database user permissions to minimum required operations

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with SQL injection rules
Deploy database activity monitoring and alerting for suspicious queries

🔍 How to Verify

Check if Vulnerable:

Check Django version: 'python -m django --version'. If version is 5.1.x < 5.1.14, 4.2.x < 4.2.26, or 5.2.x < 5.2.8, you are vulnerable.

Check Version:

python -m django --version

Verify Fix Applied:

After patching, verify version shows patched version and test vulnerable query patterns with safe test inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual database query patterns
SQL syntax errors in application logs
Multiple failed query attempts

Network Indicators:

Unusual database connection patterns
Large data transfers from database

SIEM Query:

source="django.logs" AND ("SQL" OR "database" OR "query") AND ("error" OR "exception" OR "malformed")

📊 Metadata

CVE ID: CVE-2025-64459

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-89

EPSS Score: 0.1% exploit probability (27.3th percentile)

Published: November 5, 2025

Last Updated: November 10, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory
https://groups.google.com/g/django-announce Mailing List
https://www.djangoproject.com/weblog/2025/nov/05/security-releases/ Vendor Advisory
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64459, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Django by Djangoproject

Django by Djangoproject

Django by Djangoproject

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation and Sanitization

Database User Privilege Reduction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities