AI description
CVE-2025-64459 is an SQL injection vulnerability affecting Django, a widely-used Python web framework. The vulnerability resides in the `QuerySet` methods (`filter()`, `exclude()`, `get()`) and the `Q()` class. It occurs when a crafted dictionary with dictionary expansion is used as the `_connector` argument. Attackers can exploit this vulnerability by injecting malicious SQL commands through manipulating the `_connector` argument in `QuerySet` methods. This can lead to unauthorized database access, data manipulation, or exposure of sensitive information. Django versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8 are affected. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) might also be affected.
- Description
- An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
- Source
- 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
- NVD status
- Undergoing Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- Severity
- CRITICAL
- 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
- CWE-89
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
9
🚨 Múltiples vulnerabilidades de Django permiten la inyección SQL y ataques DoS ⚠️ CVE-2025-64459 CVE-2025-64458 https://t.co/2L1AqvrYrK https://t.co/6ULJOZ4YpG
@elhackernet
8 Nov 2025
2426 Impressions
4 Retweets
20 Likes
4 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidades en productos Django ❗CVE-2025-64459 ❗CVE-2025-64458 ➡️Más info: https://t.co/t7BsfWczrX https://t.co/6nLuQNOiPH
@CERTpy
7 Nov 2025
83 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🎯#Django 緊急アップデート Django セキュリティチームが 2025-11-05 にパッチを公開しました。SQLインジェクション(CVE-2025-64459)および DoS(CVE-2025-64458)に対処済みです。 Criminal IP では26,996台の露出が確認され
@CriminalIP_JP
7 Nov 2025
155 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🎯 #Django Emergency Security Update (CVE-2025-64458 / CVE-2025-64459) A security patch that fixes SQL injection and Denial-of-Service (DoS) vulnerabilities has been distributed. (Affected versions: Django 4.2 / 5.1 / 5.2 / 6.0 (beta)) According to Criminal IP threat hunting h
@CriminalIP_US
7 Nov 2025
903 Impressions
3 Retweets
3 Likes
3 Bookmarks
0 Replies
0 Quotes
🎯 #Django 긴급 보안 업데이트 (CVE-2025-64458 / CVE-2025-64459) SQL 인젝션및 서비스 거부(DoS) 취약점을 수정한 보안 패치를 배포되었습니다. (영향 버전: Django4.2 / 5.1 / 5.2 / 6.0 (beta)) Criminal IP 위협 헌팅 결과, 전 세계 26,996
@CriminalIP_KR
7 Nov 2025
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Check up this awesome contentCritical SQL Injection Vulnerability in Django (CVE-2025-64459) | Blog | Endor Labs: https://t.co/WocahJgdYp
@kaly7dev
7 Nov 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
2 CVEs in Django https://t.co/zVVMhipLcl CVE-2025-64458: Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows CVE-2025-64459: Potential SQL injection via _connector keyword argument in QuerySet and Q objects
@oss_security
7 Nov 2025
416 Impressions
0 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
#Django: Critical SQL Injection Vulnerability in Django (CVE-2025-64459): https://t.co/aYK8gTJVXY
@securestep9
6 Nov 2025
17845 Impressions
53 Retweets
229 Likes
144 Bookmarks
0 Replies
0 Quotes
برای Django دو آسیب پذیری با کدهای شناسایی CVE-2025-64458 از نوع DOS و CVE-2025-64459 از نوع Sqlinjection منتشر شده است . اگر از نسخه های 4.2, 5.1, 5.2 این محصول استفاده می کنید ، حتما پچ
@EthicalSafe
6 Nov 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Djangoに深刻な脆弱性が発覚。SQLインジェクションとDoS攻撃を可能にする欠陥が修正された最新版が公開された。開発者は直ちにアップデートすべきである。 11月5日、Django開発チームは5.2.8・5.1.14・4.2.26をリリ
@yousukezan
6 Nov 2025
1717 Impressions
1 Retweet
15 Likes
4 Bookmarks
0 Replies
0 Quotes
CVE-2025-64459, -64458: SQLi and DoS in Django Framework, 7.5 - 9.1 rating 🔥 A recent security update from the Django Team fixes two vulns that could allow an attacker to destroy or retrieve database contents Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/tUzBn63
@Netlas_io
6 Nov 2025
499 Impressions
2 Retweets
10 Likes
3 Bookmarks
0 Replies
0 Quotes
🚨🚨Django Patches Two High-Severity Vulnerabilities CVE-2025-64459(CVSS 9.1): High-Severity SQL Injection via _connector Keyword CVE-2025-64458(CVSS 7.5): Moderate Denial-of-Service (DoS) on Windows via Unicode Redirects ZoomEye Dork👉app="Django" 189.7k+ exposed instanc
@zoomeye_team
6 Nov 2025
5815 Impressions
13 Retweets
39 Likes
13 Bookmarks
0 Replies
1 Quote