Critical Django Flaw Allows Attackers to Exploit SQL Injection

The Django development team has issued three crucial security releases on September 3, 2025, addressing a high-severity SQL injection vulnerability that affects multiple supported versions of the popular Python web framework.

Django versions 5.2.6, 5.1.12, and 4.2.24 have been released to patch CVE-2025-57833, which poses a significant security risk to applications using FilteredRelation functionality.

SQL Injection Risk in FilteredRelation

The security vulnerability, assigned as CVE-2025-57833, centers around Django’s FilteredRelation feature, which was found to be susceptible to SQL injection attacks through column aliases.

According to the official announcement by Sarah Boyce, the issue allows malicious actors to exploit the system using specially crafted dictionaries with dictionary expansion as keyword arguments passed to QuerySet.annotate() or QuerySet.alias() methods.

To summarize the key aspects of this vulnerability:

• It enables injection via FilteredRelation column alias names.
• Exploitation occurs when passing a crafted dictionary to .annotate() or .alias().
• Severity is classified as high, indicating the potential for severe data compromise.
• Affects the main branch, 5.2, 5.1, and 4.2 release lines.

The vulnerability was discovered and reported by security researcher Eyal Gabay from EyalSec, highlighting the importance of the security community’s ongoing efforts to identify and report potential threats.

Under Django’s security policy classification system, this issue has been rated as “high” severity, indicating its potential for significant impact including remote code execution and SQL injection capabilities.

Comprehensive Fixes Applied

In response to the vulnerability, the Django security team has implemented comprehensive fixes across all affected branches.

The patches have been systematically applied to Django’s main branch as well as the 5.2, 5.1, and 4.2 release branches, ensuring that users across different versions can access appropriate security updates.

The development team has made the patches readily available through GitHub commits, providing transparency and allowing developers to review the specific changes made to address the security issue.

Each branch received tailored patches that maintain compatibility while effectively closing the security loophole in FilteredRelation column alias handling.

These security releases follow Django‘s established security release policy, which prioritizes rapid response to high-severity vulnerabilities.

The coordinated release across multiple versions demonstrates the team’s commitment to maintaining security across their supported ecosystem.

Critical Upgrade Required

Django’s security team is strongly encouraging all users to upgrade to the latest security releases as soon as possible.

The three new versions—Django 5.2.6, 5.1.12, and 4.2.24—are now available for download with complete checksums provided for verification purposes.

The releases are digitally signed using PGP key ID 3955B19851EA96EF, allowing users to verify the authenticity of their downloads.

This security measure helps ensure that the patches themselves haven’t been tampered with during distribution.

As part of Django’s ongoing security practices, the team continues to emphasize that potential security issues should be reported privately via email to security@djangoproject.com rather than through public channels.

This responsible disclosure process helps protect users by allowing patches to be developed and distributed before vulnerabilities become widely known to potential attackers.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Critical Django Flaw Allows Attackers to Exploit SQL Injection appeared first on Cyber Security News.