AI description
CVE-2025-64459 is an SQL injection vulnerability affecting Django, a widely-used Python web framework. The vulnerability resides in the `QuerySet` methods (`filter()`, `exclude()`, `get()`) and the `Q()` class. It occurs when a crafted dictionary with dictionary expansion is used as the `_connector` argument. Attackers can exploit this vulnerability by injecting malicious SQL commands through manipulating the `_connector` argument in `QuerySet` methods. This can lead to unauthorized database access, data manipulation, or exposure of sensitive information. Django versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8 are affected. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) might also be affected.
- Description
- An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
- Source
- 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
- NVD status
- Analyzed
- Products
- django
CVSS 3.1
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- Severity
- CRITICAL
- 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
- CWE-89
- Hype score
- Not currently trending
Day 75 of #100DaysOfCybersecurity 🛡️ Django CVE-2025-64459 lab completed ✅ Explored how unsafe use of Django ORM kwargs allows attackers to inject internal query parameters. Fix 🔐 Django now restricts these parameters to internal Q objects only. Upgrade patched versi
@HezyChacha
27 Dec 2025
76 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
I just completed Django: CVE-2025-64459 room on TryHackMe. Explore and learn about the Django CVE-2025-64459 vulnerability. https://t.co/XGru30tXIb #tryhackme via @tryhackme
@HezyChacha
27 Dec 2025
7 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
I just completed Django: CVE-2025-64459 room on TryHackMe. Explore and learn about the Django CVE-2025-64459 vulnerability. https://t.co/JuWrDfvTpk #tryhackme via @tryhackme
@AgboolaIbrahem
3 Dec 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I just completed Django: CVE-2025-64459 room on TryHackMe. Explore and learn about the Django CVE-2025-64459 vulnerability. https://t.co/uNy0tPgTyG #tryhackme via @tryhackme
@mld_77
1 Dec 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I did "Django: CVE-2025-64459" for my 759th @tryhackme room! https://t.co/5iBRIuxgYg
@NapaCorruption
29 Nov 2025
66 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub - omarkurt/django-connector-CVE-2025-64459-testbed: A self-contained testbed for Django CVE-2025-64459. Demonstrates QuerySet.filter() parameter injection via dictionary expansion using Docker. https://t.co/h2GVj2VkTz https://t.co/e5xjajVxCF
@secharvesterx
22 Nov 2025
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I just completed Django: CVE-2025-64459 room on TryHackMe. Explore and learn about the Django CVE-2025-64459 vulnerability. https://t.co/fNLyRXlui3 #tryhackme via @tryhackme
@benhjt
22 Nov 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I just completed Django: CVE-2025-64459 room on TryHackMe. Explore and learn about the Django CVE-2025-64459 vulnerability. https://t.co/rneWyH8Brn #tryhackme عبر @tryhackme
@ChawiRajaa33737
20 Nov 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I just completed Django: CVE-2025-64459 room on TryHackMe. Explore and learn about the Django CVE-2025-64459 vulnerability. https://t.co/rcbVh7LniP #tryhackme via @tryhackme
@Freyxfi
20 Nov 2025
414 Impressions
0 Retweets
7 Likes
3 Bookmarks
0 Replies
0 Quotes
I just completed Django: CVE-2025-64459 room on TryHackMe. Explore and learn about the Django CVE-2025-64459 vulnerability. https://t.co/y3M47HzqN5 #tryhackme via @tryhackme
@KhanalAvishek21
20 Nov 2025
2 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
New research drop: Django CVE-2025-64459 is a critical SQL injection in the ORM. We explain the bug, share a PoC, and give hardening tips for Django teams. Read: https://t.co/cqZOqRtncb #Django #AppSec #sqlinjection #CVE202564459 #hiddeninvestigations https://t.co/lVPEHZ0uQZ
@hisecuritylab
20 Nov 2025
133 Impressions
1 Retweet
3 Likes
0 Bookmarks
0 Replies
0 Quotes
A Recent threat just dropped, and we said cool let's make it into a hands-on room just for you! 😎 Welcome to Django: CVE-2025-64459 🔥 https://t.co/xYVG9s44kk
@Hacker128115
19 Nov 2025
1 Impression
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A Recent threat just dropped, and we said cool let's make it into a hands-on room just for you! 😎 Welcome to Django: CVE-2025-64459 🔥 Learn about Django’s recent vulnerability, CVE-2025-64459, and understand the causes that led to it. Then exploit a vulnerable system h
@Hacker128115
19 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I just completed Django: CVE-2025-64459 room on TryHackMe. Explore and learn about the Django CVE-2025-64459 vulnerability. https://t.co/oSOjxPHEqM #tryhackme 来自 @tryhackme
@GuanShanZhe
19 Nov 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🐱New YouTube video 🐯TryHackMe Django: CVE-2025-64459 - Full Walkthrough 2025 🧸For TryHackMe room Django: CVE-2025-64459 Explore and learn about the Django CVE-2025-64459 vulnerability. Link in first comment: ⤵️⤵️🦜🦜 https://t.co/hFbNvHQRza
@DjalilAyed
19 Nov 2025
83 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
🐯 New room Django: CVE-2025-64459 from @tryhackme 🫒 Explore and learn about the Django CVE-2025-64459 vulnerability. 🏕️ Task 1: Introduction 🏝️ Task 2: Technical Details ⛰️ Task 3: Exploitation ✈️ Task 4: Conclusion Link in first comment: ⤵️⤵️
@DjalilAyed
18 Nov 2025
91 Impressions
1 Retweet
3 Likes
1 Bookmark
1 Reply
0 Quotes
A Recent threat just dropped, and we said cool let's make it into a hands-on room just for you! 😎 Welcome to Django: CVE-2025-64459 🔥 Learn about Django’s recent vulnerability, CVE-2025-64459, and understand the causes that led to it. Then exploit a vulnerable system i
@tryhackme
17 Nov 2025
10267 Impressions
19 Retweets
198 Likes
58 Bookmarks
2 Replies
3 Quotes
Django e a CVE-2025-64459: aquele endpoint /users?username=foo que cospe JSON bonito, mas por trás tá jogando request.GET direto no filter(). Aí um _connector perdido no meio do GET decide brincar com a query. 🫶🏻
@hashtagsec
16 Nov 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Yeni video yayında dostlarım 🔥🔥 - Veri tabanı tipine göre ORM davranışlarındaki farklılık - Saldırgan gözünden ORM katmanı ve yaratıclığın önemi - Adım adım SQL Injection saldırısının nasıl yapıldığına bir bakış Django CVE-2025-64459 Analiz
@mdisec
10 Nov 2025
17071 Impressions
10 Retweets
123 Likes
114 Bookmarks
2 Replies
1 Quote
Djangoで高リスクの脆弱性-SQLインジェクション(CVE-2025-64459)とDoS(CVE-2025-64458) https://t.co/rgySWZuCFI #セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
@securityLab_jp
10 Nov 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Django爆出严重SQL注入漏洞!CVE-2025-64459,赶紧检查你的项目是否受影响!#网络安全 #Django漏洞
@silakos472
9 Nov 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Múltiples vulnerabilidades de Django permiten la inyección SQL y ataques DoS ⚠️ CVE-2025-64459 CVE-2025-64458 https://t.co/2L1AqvrYrK https://t.co/6ULJOZ4YpG
@elhackernet
8 Nov 2025
2474 Impressions
4 Retweets
20 Likes
4 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidades en productos Django ❗CVE-2025-64459 ❗CVE-2025-64458 ➡️Más info: https://t.co/t7BsfWczrX https://t.co/6nLuQNOiPH
@CERTpy
7 Nov 2025
83 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🎯#Django 緊急アップデート Django セキュリティチームが 2025-11-05 にパッチを公開しました。SQLインジェクション(CVE-2025-64459)および DoS(CVE-2025-64458)に対処済みです。 Criminal IP では26,996台の露出が確認され
@CriminalIP_JP
7 Nov 2025
155 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🎯 #Django Emergency Security Update (CVE-2025-64458 / CVE-2025-64459) A security patch that fixes SQL injection and Denial-of-Service (DoS) vulnerabilities has been distributed. (Affected versions: Django 4.2 / 5.1 / 5.2 / 6.0 (beta)) According to Criminal IP threat hunting h
@CriminalIP_US
7 Nov 2025
903 Impressions
3 Retweets
3 Likes
3 Bookmarks
0 Replies
0 Quotes
🎯 #Django 긴급 보안 업데이트 (CVE-2025-64458 / CVE-2025-64459) SQL 인젝션및 서비스 거부(DoS) 취약점을 수정한 보안 패치를 배포되었습니다. (영향 버전: Django4.2 / 5.1 / 5.2 / 6.0 (beta)) Criminal IP 위협 헌팅 결과, 전 세계 26,996
@CriminalIP_KR
7 Nov 2025
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Check up this awesome contentCritical SQL Injection Vulnerability in Django (CVE-2025-64459) | Blog | Endor Labs: https://t.co/WocahJgdYp
@kaly7dev
7 Nov 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
2 CVEs in Django https://t.co/zVVMhipLcl CVE-2025-64458: Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows CVE-2025-64459: Potential SQL injection via _connector keyword argument in QuerySet and Q objects
@oss_security
7 Nov 2025
416 Impressions
0 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
#Django: Critical SQL Injection Vulnerability in Django (CVE-2025-64459): https://t.co/aYK8gTJVXY
@securestep9
6 Nov 2025
17845 Impressions
53 Retweets
229 Likes
144 Bookmarks
0 Replies
0 Quotes
برای Django دو آسیب پذیری با کدهای شناسایی CVE-2025-64458 از نوع DOS و CVE-2025-64459 از نوع Sqlinjection منتشر شده است . اگر از نسخه های 4.2, 5.1, 5.2 این محصول استفاده می کنید ، حتما پچ
@EthicalSafe
6 Nov 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Djangoに深刻な脆弱性が発覚。SQLインジェクションとDoS攻撃を可能にする欠陥が修正された最新版が公開された。開発者は直ちにアップデートすべきである。 11月5日、Django開発チームは5.2.8・5.1.14・4.2.26をリリ
@yousukezan
6 Nov 2025
1717 Impressions
1 Retweet
15 Likes
4 Bookmarks
0 Replies
0 Quotes
CVE-2025-64459, -64458: SQLi and DoS in Django Framework, 7.5 - 9.1 rating 🔥 A recent security update from the Django Team fixes two vulns that could allow an attacker to destroy or retrieve database contents Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/tUzBn63
@Netlas_io
6 Nov 2025
499 Impressions
2 Retweets
10 Likes
3 Bookmarks
0 Replies
0 Quotes
🚨🚨Django Patches Two High-Severity Vulnerabilities CVE-2025-64459(CVSS 9.1): High-Severity SQL Injection via _connector Keyword CVE-2025-64458(CVSS 7.5): Moderate Denial-of-Service (DoS) on Windows via Unicode Redirects ZoomEye Dork👉app="Django" 189.7k+ exposed instanc
@zoomeye_team
6 Nov 2025
5815 Impressions
13 Retweets
39 Likes
13 Bookmarks
0 Replies
1 Quote
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5FC7EBE0-A60A-4083-9FB7-E4ADCD2B5F37",
"versionEndExcluding": "4.2.26",
"versionStartIncluding": "4.2"
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9F3A5471-02DB-428E-815E-516057A901FF",
"versionEndExcluding": "5.1.14",
"versionStartIncluding": "5.1"
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F56E9016-F93A-4DAE-8070-D3A4909F00A4",
"versionEndExcluding": "5.2.8",
"versionStartIncluding": "5.2"
}
],
"operator": "OR"
}
]
}
]