CVE-2025-59681
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-59681
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2025-59681.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 3:3.2.25-0+deb12u1 |
| debian | bullseye | fixed | 2:2.2.28-1~deb11u9 |
| debian | forky | fixed | 3:4.2.25-1 |
| debian | sid | fixed | 3:4.2.25-1 |
| debian | trixie | fixed | 3:4.2.27-0+deb13u1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-59681
- https://github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a
- https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e
- https://docs.djangoproject.com/en/dev/releases/security
- https://github.com/django/django
- https://groups.google.com/g/django-announce
- https://www.djangoproject.com/weblog/2025/oct/01/security-releases
- http://www.openwall.com/lists/oss-security/2025/10/01/3
- https://docs.djangoproject.com/en/dev/releases/security/
- https://www.djangoproject.com/weblog/2025/oct/01/security-releases/
- https://www.suse.com/security/cve/CVE-2025-59681.html
- https://security-tracker.debian.org/tracker/CVE-2025-59681
Verify integrity in audit chain (admin only). AS-IS.