SQLi Django 5.1/4.2/5.2 before 5.1.14/4.2.26/5.2.8 via QuerySet Q() _connector
CVE-2025-64459 Published on November 5, 2025
Potential SQL injection via _connector keyword argument in QuerySet and Q objects
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Vulnerability Analysis
CVE-2025-64459 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
Initial report received.
Vulnerability confirmed.
Security release issued. 16 days later.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2025-64459 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2025-64459
Want to know whenever a new CVE is published for Django Project Django? stack.watch will email you.
Affected Versions
djangoproject Django:- Version 5.2 and below 5.2.8 is affected.
- Version 5.2.8 is unaffected.
- Version 5.1 and below 5.1.14 is affected.
- Version 5.1.14 is unaffected.
- Version 4.2 and below 4.2.26 is affected.
- Version 4.2.26 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.