Django Critical Vulnerability Let attackers Execute Malicious SQL Code on Web Servers

Cybersecurity

Django Security Update: SQL Injection Vulnerability Addressed

The Django development team has released critical security updates to address a high-severity vulnerability that could potentially allow attackers to execute malicious SQL code on web servers using the framework.

The vulnerability, identified as CVE-2025-57833, affects multiple versions of Django. Users are strongly advised to upgrade their installations without delay.

Updated Versions Released

In accordance with its security policy, Django has released new versions to resolve the issue: Django 5.2.6, Django 5.1.12, and the long-term support (LTS) release Django 4.2.24.

Technical Details

The vulnerability is located within the FilteredRelation component of Django’s Object-Relational Mapping (ORM) system. An attacker could exploit this flaw by passing a specially crafted dictionary as a keyword argument to the QuerySet.annotate() or QuerySet.alias() methods, potentially leading to an SQL injection attack.

Security Implications

SQL injection is classified as a “High” severity issue under Django’s security guidelines, as it can enable attackers to view, modify, or delete sensitive data, and in some cases, gain full control over the affected database server. The affected versions include the main development branch and versions 5.2, 5.1, and 4.2.

The Django team has applied patches to all active branches to address the vulnerability. The issue was responsibly disclosed by security researcher Eyal Gabay of EyalSec.

Recommended Actions

Developers and system administrators using Django are urged to review their projects and apply the updates immediately. The patches are available in the latest versions on the Python Package Index (PyPI) and through Django’s official Git repository.

Failure to upgrade could expose applications to significant security risks, including unauthorized data access and potential database compromise.