Vulnerability News
sysops

The Django development team has issued critical security updates to address a high-severity vulnerability that could allow attackers to execute malicious SQL code on web servers using the popular framework.

The flaw, identified as CVE-2025-57833, affects multiple versions of Django, prompting an urgent call for all users to upgrade their installations as soon as possible.

In line with its security policy, Django has released new versions to fix the issue: Django 5.2.6, Django 5.1.12, and the long-term support (LTS) release Django 4.2.24.

The vulnerability resides within the FilteredRelation component of Django’s Object-Relational Mapping (ORM) system.

According to the security advisory, an attacker could exploit this flaw by passing a specially crafted dictionary as a keyword argument to the QuerySet.annotate() or QuerySet.alias() methods.

This could lead to an SQL injection attack, where the attacker can interfere with the queries that an application makes to its database.

Django SQL Injection Vulnerability

SQL injection is classified as a “High” severity issue under Django’s security guidelines because it can potentially allow attackers to view, modify, or delete sensitive data, and in some cases, gain full control over the affected database server.

The affected supported versions include the main development branch and versions 5.2, 5.1, and 4.2, making this a widespread issue for many production environments.

The Django team has already applied patches to all active branches to resolve the vulnerability.

The issue was responsibly disclosed by security researcher Eyal Gabay of EyalSec, who was credited in the official announcement.

This discovery and the subsequent coordinated release highlight the effectiveness of Django’s established security reporting process.

This procedure prevents exploits from being widely known before a fix is available and includes notifying distributors and major stakeholders in advance of the public release.

Developers and system administrators using Django are strongly encouraged to review their projects and apply the updates immediately.

The patches are available in the latest versions on the Python Package Index (PyPI) and through Django’s official Git repository.

Failing to upgrade could leave applications exposed to significant security risks, including unauthorized data access and potential database compromise.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

Related Posts

Security researchers have uncovered critical vulnerabilities in Radware’s Cloud Web Application Firewall (WAF) that could allow attackers to completely bypass…

CISA has issued a critical warning regarding a high-severity OS command injection vulnerability in Trend Micro Apex One Management Console…

Security researchers have disclosed a critical vulnerability in Avast Free Antivirus that could allow attackers to gain elevated system privileges…