Ddos 
The Django Software Foundation has released important security updates for multiple supported versions of the popular Python web framework. The patches address a high-severity vulnerability tracked as CVE-2025-57833 (CVSS 7.1), which could allow attackers to perform SQL injection via FilteredRelation column aliases.
In the official advisory, the Django team explained: “FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().”
This flaw could be exploited when developers use dynamic annotations or aliases in queries, allowing malicious input to manipulate SQL statements. Such vulnerabilities can lead to unauthorized data access, tampering, or even full compromise of application databases.
The Django team classified the vulnerability as “high” severity under the Django security policy. While not a remote code execution flaw, SQL injection remains one of the most dangerous classes of vulnerabilities in web applications, frequently exploited in real-world breaches.
The report credits security researcher Eyal Gabay (EyalSec) for responsibly disclosing the issue.
According to the advisory, the following releases are vulnerable:
Django main branch
- Django 5.2
- Django 5.1
- Django 4.2
To mitigate the risk, the Django team has issued fixed versions:
Related Posts:
- Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8)
- Misconfigured Django apps leak database passwords and API keys for nearly 30,000 servers
- Researcher released CVE-2022-34265 PoC for Django SQL Injection flaw
Donate