The vulnerabilities, identified as CVE-2025-64458 and CVE-2025-64459, affect core components of the framework and require immediate attention from developers using Django in their applications.
The more serious of the two vulnerabilities, CVE-2025-64459, carries a high severity rating and involves a potential SQL injection weakness in Django’s QuerySet and Q objects.
Security researcher Cyberstan discovered that the QuerySet.The filter(), QuerySet.exclude(), and QuerySet.get() methods, along with the Q() class, are vulnerable when processing specially crafted dictionaries that use the _connector keyword argument with dictionary expansion.
This flaw could enable malicious actors to inject arbitrary SQL commands into database queries, potentially compromising sensitive data or gaining unauthorized access to backend systems.
SQL injection remains one of the most dangerous web application vulnerabilities, making this discovery particularly concerning for organizations relying on Django for their web infrastructure.
The second vulnerability, CVE-2025-64458, affects Django installations running on Windows.
| CVE ID | Vulnerability Type | Affected Versions | CVSS Score |
|---|---|---|---|
| CVE-2025-64458 | Denial-of-Service (DoS) | Django 4.2, 5.1, 5.2, 6.0 (beta) | 5.3 |
| CVE-2025-64459 | SQL Injection | Django 4.2, 5.1, 5.2, 6.0 (beta) | 9.8 |
Seokchan Yoon from ch4n3.KR identified this moderate-severity denial-of-service weakness in the HttpResponseRedirect and HttpResponsePermanentRedirect functions. The issue stems from slow NFKC normalization in Python on Windows.
Attackers can exploit this performance bottleneck by submitting inputs containing vast numbers of Unicode characters, causing the application to consume excessive resources and potentially become unresponsive.
Although rated moderate severity, this vulnerability could still disrupt services and affect user experience on Windows-based Django deployments.
Django developers should update their installations to the latest patched versions as soon as possible.
Organizations using Django on Windows systems should pay particular attention to the DoS vulnerability. At the same time, all Django users must address the SQL injection flaw regardless of their operating system.
Regular security updates and following Django’s security best practices remain essential for maintaining secure web applications.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Multiple Django Vulnerabilities Enable SQL injection and DoS Attack appeared first on Cyber Security News.
Spoilers follow for Star Trek: Starfleet Academy Episode 9. The penultimate episode of Star Trek:…
What a day! We're still bustling through Resident Evil Requiem, Pokopia's out today, and on…
It's now been three months since Elden Ring: Nightreign received its paid Forsaken Hollows DLC,…
Frozen Ever After at Walt Disney World just got a major upgrade as the Audio-Animatronics…
Hot off the zombified heels of Resident Evil Requiem, a brand-new Capcom Spotlight is on…
Pokémon Pokopia features, of all things, a 3D printer. I wasn't sure why this surprised…
This website uses cookies.