Django Flaw (CVE-2025-13372) Allows SQL Injection in PostgreSQL FilteredRelation

The maintainers of Django, the high-level Python web framework that powers some of the internet’s largest sites, have released an important security update addressing two distinct vulnerabilities. The most critical of these is a high-severity SQL injection flaw that could allow attackers to compromise database integrity in PostgreSQL environments.

The primary threat, tracked as CVE-2025-13372, is rated as “High” severity. It specifically targets applications using PostgreSQL databases that utilize the FilteredRelation class.

According to the technical details provided, the vulnerability lies in how the framework handles column aliases. The advisory states that “FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL.”

This flaw was reported by security researcher Stackered.

The second vulnerability, CVE-2025-64460, is rated as “Moderate” severity but poses a significant risk to service availability. This Denial-of-Service (DoS) flaw affects the XML serializer.

The issue stems from “algorithmic complexity in django.core.serializers.xml_serializer.getInnerText(),” which allowed attackers to weaponize XML input. By submitting specially crafted XML data, a remote attacker could trigger massive CPU and memory consumption.

The advisory explains that “the vulnerability resulted from repeated string concatenation while recursively collecting text nodes, which produced superlinear computation resulting in service degradation or outage.” Credit for this discovery goes to researcher Seokchan Yoon.

The vulnerabilities affect all currently supported versions of the framework, including:

• Django Main
• Django 6.0 (currently at release candidate status)
• Django 5.2
• Django 5.1
• Django 4.2

Patches have been applied to all relevant branches, including the upcoming 6.0 release. Developers are urged to update to the newly released versions (5.2.9, 5.1.15, and 4.2.27) immediately to close these security gaps.

Related Posts:

• CVE-2025-57833: A New SQL Injection Flaw Puts Django Web Applications at Risk
• PoC Released: Django SQL Injection Flaw with Technical Details
• Django Security Alert: High-Severity SQL Injection Flaw (CVE-2025-59681) Fixed in Latest Updates
• Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8)