CVE-2025-64459 Overview
A critical SQL Injection vulnerability has been discovered in Django, a popular Python web framework. The vulnerability affects the methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), as well as the Q() class. When a suitably crafted dictionary with dictionary expansion is used as the _connector argument, attackers can inject arbitrary SQL commands into database queries.
This vulnerability allows unauthenticated attackers to manipulate database queries remotely, potentially leading to unauthorized data access and data manipulation. Django has acknowledged the security researcher cyberstan for reporting this issue.
Critical Impact
Unauthenticated remote attackers can exploit this SQL injection vulnerability to access or modify sensitive database contents without user interaction.
Affected Products
- Django 5.1 before 5.1.14
- Django 4.2 before 4.2.26
- Django 5.2 before 5.2.8
- Earlier unsupported Django series (5.0.x, 4.1.x, 3.2.x) may also be affected
Discovery Timeline
- 2025-11-05 - Django Project releases security patches
- 2025-11-05 - CVE-2025-64459 published to NVD
- 2025-11-10 - Last updated in NVD database
Technical Details for CVE-2025-64459
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in Django's QuerySet API, specifically within the filter(), exclude(), and get() methods, as well as the Q() class used for complex query construction. The flaw occurs when dictionary expansion (**kwargs) is used with a maliciously crafted dictionary containing the _connector argument.
Under normal circumstances, the _connector parameter is used internally by Django to specify how query conditions should be combined (using AND or OR operators). However, insufficient input validation on this parameter allows an attacker to inject arbitrary SQL syntax when user-controlled data reaches these methods through dictionary expansion.
The vulnerability is exploitable over the network without authentication or user interaction, making it particularly dangerous for Django applications that process user-supplied input in database queries.
Root Cause
The root cause is improper input validation on the _connector argument when passed via dictionary expansion to QuerySet methods. Django failed to sanitize or validate the _connector parameter, allowing malicious SQL fragments to be incorporated directly into generated SQL queries. This bypasses Django's ORM protections that normally prevent SQL injection through parameterized queries.
Attack Vector
The attack can be executed remotely over the network by an unauthenticated attacker. The exploitation scenario involves:
- An attacker identifies a Django application endpoint that passes user-controlled dictionary data to QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), or the Q() class
- The attacker crafts a malicious dictionary containing a poisoned _connector key with SQL injection payloads
- When this dictionary is expanded using **kwargs syntax in the application code, the malicious _connector value is processed by Django
- The SQL injection payload is incorporated into the database query, allowing unauthorized data access or modification
For detailed technical analysis and exploitation mechanics, refer to the Shivasurya Analysis on CVE-2025-64459.
Detection Methods for CVE-2025-64459
Indicators of Compromise
- Unusual or malformed SQL queries in database logs containing unexpected _connector values
- Web application firewall (WAF) alerts for SQL injection patterns in POST/GET parameters
- Database error logs showing SQL syntax errors or injection attempt failures
- Unexpected data access patterns or unauthorized database modifications
- HTTP requests containing dictionary-like payloads with _connector keys
Detection Strategies
- Deploy SQL injection detection rules on web application firewalls to inspect dictionary parameters
- Enable detailed database query logging and monitor for anomalous _connector values in queries
- Implement application-level logging to track dictionary expansion operations in QuerySet methods
- Use runtime application self-protection (RASP) solutions to detect SQL injection attempts
- Monitor for exploit attempts using known PoC patterns related to this vulnerability
Monitoring Recommendations
- Review Django application logs for requests containing _connector parameters in user input
- Set up alerts for database queries with unexpected SQL syntax or operators
- Monitor network traffic for patterns consistent with SQL injection reconnaissance
- Enable Django's security logging to capture suspicious ORM operations
- Correlate web server access logs with database audit logs to identify exploitation chains
How to Mitigate CVE-2025-64459
Immediate Actions Required
- Upgrade Django immediately to version 5.1.14, 4.2.26, or 5.2.8 depending on your current series
- Audit application code for instances where user-controlled dictionaries are expanded in QuerySet methods
- Implement input validation to sanitize or reject dictionaries containing _connector keys from user input
- Deploy WAF rules to block requests containing SQL injection patterns in dictionary parameters
- If using unsupported Django versions (5.0.x, 4.1.x, 3.2.x), plan immediate migration to supported versions
Patch Information
Django has released security patches addressing this vulnerability. The patched versions are:
- Django 5.2.8 (for 5.2.x series)
- Django 5.1.14 (for 5.1.x series)
- Django 4.2.26 (for 4.2.x series)
Official patch information and release notes are available from the Django Security Release Notes and the Django Weblog Security Releases.
Workarounds
- Filter and reject any user-supplied dictionaries containing the _connector key before passing to QuerySet methods
- Implement allowlist validation for dictionary keys when processing user input destined for ORM operations
- Use explicit keyword arguments instead of dictionary expansion for QuerySet methods where possible
- Add middleware or decorator validation to strip _connector from incoming request data
- Consider temporarily disabling endpoints that allow arbitrary dictionary input to QuerySet operations until patching is complete
# Upgrade Django to patched version
pip install --upgrade Django>=5.2.8
# Or for specific series:
pip install Django==5.1.14
pip install Django==4.2.26
# Verify installed version
python -c "import django; print(django.VERSION)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
