Potential SQL injection via _connector keyword argument in QuerySet and...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.

AI Analysis

SQL injection vulnerability in Django's QuerySet and Q objects via the _connector keyword argument

Basic Information

ID CVE-2025-64459

Source DSF

Published Nov 5, 2025 at 15:09

Modified Nov 5, 2025 at 16:29

Affected Product

Vendor djangoproject

Product Django

Version 5.2

Affected Versions djangoproject Django 5.2
djangoproject Django 5.1
djangoproject Django 4.2

CWE Classification

CWE-89

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Django Software Foundation

Product Django

Version 5.1, 4.2, 5.2

References

{
    "lastseen": "",
    "description": "An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue.",
    "published": "2025-11-05T15:09:58.239Z",
    "modified": "2025-11-05T16:29:25.943Z",
    "type": "cve",
    "title": "Potential SQL injection via _connector keyword argument in QuerySet and Q objects",
    "source": "DSF",
    "references": "https://docs.djangoproject.com/en/dev/releases/security/\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2025/nov/05/security-releases/",
    "id": "CVE-2025-64459",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "djangoproject Django 5.2\ndjangoproject Django 5.1\ndjangoproject Django 4.2",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Django",
    "version": "5.2",
    "vendor": "djangoproject",
    "ai_description": "SQL injection vulnerability in Django's QuerySet and Q objects via the _connector keyword argument",
    "ai_severity": "Critical",
    "ai_vendor": "Django Software Foundation",
    "ai_product": "Django",
    "ai_version": "5.1, 4.2, 5.2",
    "ai_score": 9.1
}

Potential SQL injection via _connector keyword argument in QuerySet and Q objects_CVE-2025-64459