The Django Software Foundation has urgently released security patches for its popular Python web framework, addressing two critical vulnerabilities that could enable SQL injection attacks and denial-of-service disruptions.
These flaws, disclosed on November 5, 2025, affect multiple versions including Django 4.2, 5.1, and 5.2, prompting developers worldwide to update immediately to mitigate potential exploits in web applications.
The releases 5.2.8, 5.1.14, and 4.2.26 fix issues that stem from improper handling of inputs in core components, highlighting ongoing challenges in securing high-level frameworks like Django.
As one of the most widely used tools for building robust web apps, this news underscores the importance of timely patching in enterprise environments where Django powers e-commerce sites, APIs, and content management systems.
At the heart of the vulnerabilities is CVE-2025-64459, a high-severity SQL injection risk affecting key database query methods in Django.
This flaw arises when developers use QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), or the Q() class with a maliciously crafted dictionary expanded via the _connector keyword argument, allowing attackers to inject arbitrary SQL code.
Such manipulation could lead to unauthorized data access, alteration, or deletion, depending on the application’s database permissions and backend like PostgreSQL or MySQL.
The issue was responsibly reported by researcher cyberstan, who identified how unsanitized dictionary inputs bypass Django’s query safeguards, potentially exposing sensitive user data in production systems.
Django classifies this as high severity due to its remote exploitability without authentication, though no public proof-of-concept has surfaced yet.
Earlier unsupported versions, such as 5.0.x or 4.1.x, may also be vulnerable but were not officially evaluated.
Complementing the injection risk is CVE-2025-64458, a moderate-severity denial-of-service vulnerability specific to Windows environments.
This stems from Python’s slow NFKC Unicode normalization process, which attackers can exploit by sending redirect requests via HttpResponseRedirect, HttpResponsePermanentRedirect, or the redirect shortcut containing excessively large Unicode strings.
On Windows servers, this causes significant CPU consumption, potentially crashing or slowing Django applications under targeted traffic.
Discovered by Seokchan Yoon, the flaw exploits platform-specific performance quirks in Python’s unicodedata module, making it a vector for resource exhaustion attacks against web servers.
While less severe than SQL injection, it remains a concern for Windows-hosted Django deployments, where even a single malicious request could disrupt service availability.
Both vulnerabilities impact Django’s main branch, the 6.0 beta, 5.2 series (before 5.2.8), 5.1 series (before 5.1.14), and 4.2 series (before 4.2.26), covering a broad range of active installations.
Patches are available as Git commits for each branch, with full releases downloadable from the official site, verified via PGP key from Natalia Bidart.
Developers should prioritize upgrades, review query constructions for _connector usage, and implement input validation to harden applications further.
Monitoring tools and database auditing can help detect anomalous activity post-patch.
| CVE ID | Description | Severity (Django Policy) | Affected Versions | Patched Versions | CVSS Score (Estimated) |
|---|---|---|---|---|---|
| CVE-2025-64459 | SQL injection via _connector in QuerySet.filter(), exclude(), get(), and Q() | High | Main, 6.0 beta, 5.2 <5.2.8, 5.1 <5.1.14, 4.2 <4.2.26 | 5.2.8, 5.1.14, 4.2.26 | 8.8 (High) |
| CVE-2025-64458 | DoS via slow Unicode normalization in redirects on Windows | Moderate | Main, 6.0 beta, 5.2 <5.2.8, 5.1 <5.1.14, 4.2 <4.2.26 | 5.2.8, 5.1.14, 4.2.26 | 5.3 (Medium) |
In summary, these flaws remind the community that even mature frameworks require vigilance, but swift updates ensure Django’s continued reliability for secure web development.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…