Django, one of the vital common Python net growth frameworks, has disclosed two vital safety vulnerabilities that might enable attackers to execute SQL injection assaults and launch denial-of-service assaults.
The vulnerabilities, recognized as CVE-2025-64458 and CVE-2025-64459, have an effect on core parts of the framework and require rapid consideration from builders utilizing Django of their functions.
The extra severe of the 2 vulnerabilities, CVE-2025-64459, carries a excessive severity score and entails a possible SQL injection weak point in Django’s QuerySet and Q objects.
SQL Injection and Home windows-Particular DoS Vulnerability
Safety researcher Cyberstan found that the QuerySet.The filter(), QuerySet.exclude(), and QuerySet.get() strategies, together with the Q() class, are weak when processing specifically crafted dictionaries that use the _connector key phrase argument with dictionary growth.
This flaw might allow malicious actors to inject arbitrary SQL instructions into database queries, probably compromising delicate information or gaining unauthorized entry to backend programs.
SQL injection stays one of the vital harmful net software vulnerabilities, making this discovery notably regarding for organizations counting on Django for his or her net infrastructure.
The second vulnerability, CVE-2025-64458, impacts Django installations working on Home windows.
CVE IDVulnerability TypeAffected VersionsCVSS ScoreCVE-2025-64458Denial-of-Service (DoS)Django 4.2, 5.1, 5.2, 6.0 (beta)5.3CVE-2025-64459SQL InjectionDjango 4.2, 5.1, 5.2, 6.0 (beta)9.8
Seokchan Yoon from ch4n3.KR recognized this moderate-severity denial-of-service weak point within the HttpResponseRedirect and HttpResponsePermanentRedirect features. The problem stems from gradual NFKC normalization in Python on Home windows.
Attackers can exploit this efficiency bottleneck by submitting inputs containing huge numbers of Unicode characters, inflicting the applying to eat extreme assets and probably turn out to be unresponsive.
Though rated average severity, this vulnerability might nonetheless disrupt companies and have an effect on person expertise on Home windows-based Django deployments.
Django builders ought to replace their installations to the newest patched variations as quickly as attainable.
Organizations utilizing Django on Home windows programs ought to pay explicit consideration to the DoS vulnerability. On the similar time, all Django customers should handle the SQL injection flaw no matter their working system.
Common safety updates and following Django’s safety greatest practices stay important for sustaining safe net functions.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
