CVE-2025-57833
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-57833
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2025-57833.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 3:3.2.25-0+deb12u1 |
| debian | bullseye | fixed | 2:2.2.28-1~deb11u8 |
| debian | forky | fixed | 3:4.2.24-1 |
| debian | sid | fixed | 3:4.2.24-1 |
| debian | trixie | fixed | 3:4.2.27-0+deb13u1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-57833
- https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5
- https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
- https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
- https://docs.djangoproject.com/en/dev/releases/security
- https://github.com/django/django
- https://groups.google.com/g/django-announce
- https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html
- https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
- https://www.djangoproject.com/weblog/2025/sep/03/security-releases
- http://www.openwall.com/lists/oss-security/2025/09/03/3
- https://docs.djangoproject.com/en/dev/releases/security/
- https://www.djangoproject.com/weblog/2025/sep/03/security-releases/
- https://www.suse.com/security/cve/CVE-2025-57833.html
- https://security-tracker.debian.org/tracker/CVE-2025-57833
Verify integrity in audit chain (admin only). AS-IS.