CVE-2025-57833

Published Sep 3, 2025

Last updated 5 months ago

CVSS high 7.1
Django

Overview

Description
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Source
cve@mitre.org
NVD status
Analyzed
Products
django

Risk scores

CVSS 3.1

Type
Primary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

cve@mitre.org
CWE-89

Social media

Hype score
Not currently trending

  1. CVE-2025-57833: Django: Potential SQL injection in FilteredRelation column aliases https://t.co/YMhmWxNUu0

    @oss_security

    17 Sept 2025

    275 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. تا جایی که یادم باشه همه باگ‌های جنگو و این باگ آخریش (CVE-2025-57833) همشون یک دلیل داشتن و اون هم اصلاحات ارضی بوده.

    @miggovortensen

    10 Sept 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚠️Actualización de seguridad de Django ❗CVE-2025-57833 ➡️Más info: https://t.co/SoNZjurwGJ https://t.co/6rc6zUwZEL

    @CERTpy

    8 Sept 2025

    129 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 The #Django SQL Injection Flaw: #CVE-2025-57833 Unpacked and Patched https://t.co/CjMsruFAqo Educational Purposes!

    @UndercodeUpdate

    6 Sept 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. URGENT: #openSUSE security update patches critical SQLi vulnerability CVE-2025-57833 in Python-Django. Read more: 👉 https://t.co/VQPLo2FwLO #Security https://t.co/eRKT6YG3Gz

    @Cezar_H_Linux

    5 Sept 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. PythonのフレームワークDjangoで危険な脆弱性(CVE-2025-57833) - 合同会社ロケットボーイズ https://t.co/jqRxPngGQx #izumino_trend

    @sec_trend

    5 Sept 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ⚠️ Weekly vuln radar. https://t.co/Cd6L8ACyLV – spot what’s trending before it’s everywhere: CVE-2025-43300 CVE-2025-48539 CVE-2025-25257 (@0x_shaq) CVE-2025-7775 CVE-2025-57833 (@EyalSec) CVE-2025-53690 CVE-2025-9074 CVE-2025-48543 CVE-2025-24893 https://t.co/KW7HdtM3

    @ptdbugs

    5 Sept 2025

    123 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-57833: Deep Dive into Django SQL injection qs = Order.objects.annotate(total_amount=F("payment__amount")) https://t.co/u7MA6oJ42h #django #sqli #BugBounty

    @NullSecurityX

    5 Sept 2025

    771 Impressions

    8 Retweets

    30 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 New Django vulnerability (CVE-2025-57833) SQL Injection possible via FilteredRelation 👉 Affected: 5.2 / 5.1 / 4.2 ✅ Patched: 5.2.6 / 5.1.12 / 4.2.24 SQLi remains one of the most dangerous threats. Framework ≠ Security guarantee. 📄 Full analysis: 🔗https://t.co/t

    @umidcybers

    4 Sept 2025

    123 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. How to protect yourself from CVE-2025-57833 in Django https://t.co/F1mWSGTiW4

    @hacksgreece

    4 Sept 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Critical Vulnerability in Django Framework (CVE-2025-57833) #CyberSecurity #Django #SQLInjection #CVE2025 #AppSec #infosec https://t.co/9H8nCnU4oP

    @SeReacher

    4 Sept 2025

    4 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🚨Alert CVE-2025-57833: A New SQL Injection Flaw Puts Django Web Applications at Risk 8.4M Services are found on https://t.co/rXSMCokfMR yearly. Hunter Link:https://t.co/KkV6ky2eqe 📷Query HUNTER : ="Django" #bugbounty #bugbountytips https://t.co/lSb9yo4P5B

    @viehgroup

    4 Sept 2025

    48 Impressions

    0 Retweets

    1 Like

    2 Bookmarks

    1 Reply

    0 Quotes

  13. CVE-2025-57833: A New SQL Injection Flaw Puts Django Web Applications at Risk. According to the advisory, the following releases are vulnerable: Django main branch Django 5.2 Django 5.1 Django 4.2 fixed versions: Django 5.2.6 Django 5.1.12 Django 4.2.24 https://t.co/p5sq0b6GBa

    @cyber_advising

    4 Sept 2025

    1016 Impressions

    3 Retweets

    10 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  14. ⚠️⚠️ CVE-2025-57833: A New SQL Injection Flaw Puts Django Web Applications at Risk 🎯1.6m+ Results are found on the https://t.co/pb16tGYaKe nearly year 🔗FOFA Link: https://t.co/xChRxCUIUV FOFA Query:app="django" 🔖Refer:https://t.co/370xjzKgfB #OSINT #FOFA #CyberSe

    @fofabot

    4 Sept 2025

    1869 Impressions

    13 Retweets

    30 Likes

    9 Bookmarks

    5 Replies

    0 Quotes

  15. CVE-2025-57833: SQL Injection in Django, 7.1 rating❗️ A vulnerability in some versions of the Django framework allows attackers to access sensitive data if a web application uses insecure versions. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/RgwFPMJcHX https:

    @Netlas_io

    4 Sept 2025

    605 Impressions

    2 Retweets

    6 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  16. 🚨Alert🚨CVE-2025-57833: A New SQL Injection Flaw Puts Django Web Applications at Risk 📊8.4M Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/VJntCkc3qe 👇Query HUNTER : https://t.co/q9rtuGgxk7="Django" 📰Refer:https://t.co/uBEhVGq

    @HunterMapping

    4 Sept 2025

    7998 Impressions

    34 Retweets

    138 Likes

    67 Bookmarks

    3 Replies

    1 Quote

  17. Django security releases issued: 5.2.6, 5.1.12, and 4.2.24 - CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases https://t.co/GG4SCcMVQg

    @yamaneko1212

    3 Sept 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.CVE-2026-25673
  2. An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.CVE-2026-25674
  3. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.CVE-2026-1287
  4. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.CVE-2026-1285
  5. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.CVE-2026-1312

References

Sources include official advisories and independent security research.