Django Team Patches High-Severity SQL Injection Flaw (CVE-2025-64459) and DoS Bug (CVE-2025-64458) in Latest Security Update

The Django Software Foundation (DSF) has released new security updates for multiple branches of the Django web framework, addressing two vulnerabilities — including a high-severity SQL injection flaw that could allow attackers to manipulate database queries.

The patches are available in Django 5.2.8, 5.1.14, and 4.2.26, as well as the main branch and 6.0 beta. The development team urges all users to upgrade immediately to mitigate potential risks.

CVE-2025-64459: High-Severity SQL Injection via _connector Keyword

The most serious issue resolved in this update is CVE-2025-64459, a high-severity SQL injection vulnerability that affects several common Django database methods — including QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), and the Q() class.

The flaw arises when these methods are used with dictionary expansion via the _connector keyword argument, enabling attackers to inject malicious SQL expressions if the argument’s contents are not properly sanitized.

As the Django team explains, “The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument.”

If successfully exploited, this vulnerability could allow remote attackers to modify, leak, or destroy database content, depending on application permissions and deployment configuration. Given Django’s widespread use in enterprise web apps, e-commerce platforms, and APIs, this vulnerability represents a serious threat to production environments running unpatched versions.

The issue was responsibly disclosed by researcher cyberstan, who received public credit for the report. Django classified the flaw as “high severity” under its internal security policy.

CVE-2025-64458: Moderate Denial-of-Service (DoS) on Windows via Unicode Redirects

The second vulnerability, CVE-2025-64458, affects Django’s HTTP redirect handling on Windows systems. It is classified as moderate severity, but still poses a potential denial-of-service risk under certain conditions.

According to the advisory, “NFKC normalization in Python is slow on Windows. As a consequence, HttpResponseRedirect, HttpResponsePermanentRedirect, and redirect were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.”

In practical terms, this means that a malicious actor could supply specially crafted URLs with excessive Unicode normalization requirements, causing Django’s redirect functions to consume large amounts of CPU time on Windows hosts. This could lead to performance degradation or service interruption on affected servers.

The issue was discovered by Seokchan Yoon and demonstrates how platform-specific implementation quirks — in this case, Unicode normalization performance in Python — can introduce unexpected security implications even in mature frameworks.

Affected Versions and Patches

The following supported Django versions are affected by one or both of the vulnerabilities:

• Django main branch
• Django 6.0 (beta)
• Django 5.2
• Django 5.1
• Django 4.2

The updated releases — 5.2.8, 5.1.14, and 4.2.26 — are now available via the official Django website and package repositories, along with the accompanying release notes:

• Django 5.2.8 Release Notes
• Django 5.1.14 Release Notes
• Django 4.2.26 Release Notes

Related Posts:

• CVE-2025-57833: A New SQL Injection Flaw Puts Django Web Applications at Risk
• Django Security Alert: High-Severity SQL Injection Flaw (CVE-2025-59681) Fixed in Latest Updates
• Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8)
• PoC Released: Django SQL Injection Flaw with Technical Details