Django 5.X SQLi via FilteredRelation alias pre-5.2.9,5.1.15,4.2.27
CVE-2025-13372 Published on December 2, 2025
Potential SQL injection in FilteredRelation column aliases on PostgreSQL
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Vulnerability Analysis
CVE-2025-13372 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Timeline
Initial report received.
Vulnerability confirmed. 9 days later.
Security release issued. 14 days later.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2025-13372 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2025-13372
stack.watch emails you whenever new vulnerabilities are published in Django Project Django or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
djangoproject Django:- Version 5.2 and below 5.2.9 is affected.
- Version 5.2.9 is unaffected.
- Version 5.1 and below 5.1.15 is affected.
- Version 5.1.15 is unaffected.
- Version 4.2 and below 4.2.27 is affected.
- Version 4.2.27 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.