High severity7.1NVD Advisory· Published Sep 3, 2025· Updated Jun 17, 2026
CVE-2025-57833
CVE-2025-57833
Description
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | < 4.2.24 | 4.2.24 |
DjangoPyPI | >= 5.0a1, < 5.1.12 | 5.1.12 |
DjangoPyPI | >= 5.2a1, < 5.2.6 | 5.2.6 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/awxpkg:bitnami/djangopkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-Django&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7
< 24.6.1-r14+ 8 more
- (no CPE)range: < 24.6.1-r14
- (no CPE)range: >= 4.2.0, < 4.2.24
- (no CPE)range: < 4.2.24
- (no CPE)range: < 4.2.24-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 4.2.11-150600.3.30.1
- (no CPE)range: < 5.2.6-1.1
- (no CPE)range: < 4.2.11-150600.3.30.1
- (no CPE)range: < 4.2.11-150600.3.30.1
- Range: 4.2
Patches
Vulnerability mechanics
References
14- medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898nvdExploitThird Party AdvisoryWEB
- docs.djangoproject.com/en/dev/releases/security/nvdVendor Advisory
- github.com/advisories/GHSA-6w2r-r2m5-xq5wghsaADVISORY
- groups.google.com/g/django-announcenvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-57833ghsaADVISORY
- www.djangoproject.com/weblog/2025/sep/03/security-releases/nvdVendor Advisory
- www.openwall.com/lists/oss-security/2025/09/03/3nvdWEB
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5ghsaWEB
- github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92ghsaWEB
- github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-105.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2025/09/msg00017.htmlnvdWEB
- www.djangoproject.com/weblog/2025/sep/03/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.