The Django project released security patches on December 2, 2025, addressing two vulnerabilities in versions 5.2.9, 5.1.15, and 4.2.27.
Posted by maintainer Natalia Bidart, these updates fix a high-severity SQL injection risk on PostgreSQL and a moderate-severity denial-of-service (DoS) flaw in the XML serializer.
Affected branches include the main codebase, Django 6.0 (release candidate), 5.2, 5.1, and 4.2. Users should upgrade immediately to mitigate potential exploits, in line with Django’s security policy.
Django, a popular Python web framework, powers thousands of applications.
These flaws could enable attackers to manipulate databases or crash services, underscoring the need for prompt patching in production environments.
CVE-2025-13372: SQL Injection via FilteredRelation Aliases
This high-severity issue (per Django’s policy) stems from improper handling of column aliases in FilteredRelation.
Attackers can inject malicious SQL using a crafted dictionary expanded via **kwargs in QuerySet.annotate() or QuerySet.alias() calls, but only on PostgreSQL backends.
FilteredRelation lets developers filter related querysets during annotations. Usually, it generates safe SQL aliases like related__field.
However, dictionary expansion allows unescaped input, such as {“alias”: “malicious’; DROP TABLE users;–“}, to bypass sanitization.
This crafts payloads like alias ‘; malicious’; DROP TABLE users;- “, executing arbitrary SQL if the query reaches the database.
Stackered reported the flaw. Patches escape aliases across branches, including main, 5.2, and others. No public exploits exist yet, but the PostgreSQL-specificity limits the blast radius to that database.
CVE-2025-64460: DoS From XML Text Extraction Complexity
Reported by Seokchan Yoon of ch4n3.kr, this moderate-severity vulnerability affects django.core.serializers.xml_serializer.getInnerText().
Remote attackers submit crafted XML to XML deserialization endpoints, triggering CPU and memory exhaustion.
The function recursively collects text nodes by repeatedly concatenating their texts: text += node.text in a loop.
Deeply nested XML, like <root><a><b>…</b></a></root> repeated exponentially, causes quadratic time complexity.
For depth nn, concatenation builds strings of size O(2n)O(2n), exhausting resources in seconds.
Patches optimize to linear-time collection using lists joined once, available on main, 5.2, and more.
| CVE ID | Severity | Description Summary | Affected Feature | Reporter |
|---|---|---|---|---|
| CVE-2025-13372 | High | SQLi in FilteredRelation PostgreSQL aliases | QuerySet.annotate()/alias() | Stackered |
| CVE-2025-64460 | Moderate | DoS via recursive XML string concatenation | xml_serializer.getInnerText() | Seokchan Yoon |
