How to fix CVE-2025-59681?

Within 7 days: Identify all affected systems running Django 4.2 and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Is Python affected by CVE-2025-59681?

Organizations using Django 4.2 face moderate risk from CVE-2025-59681, a SQL injection vulnerability rated CVSS 7.1. Successful exploitation could allow attackers to execute arbitrary code or commands on affected systems, potentially leading to full system compromise.

CVE-2025-59681

EUVD-2025-32691 HIGH

2025-10-01 [email protected]

GHSA-hpr9-3m2g-3j9p

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 13, 2026 - 18:18 vuln.today

EUVD ID Assigned

Mar 13, 2026 - 18:18 euvd

EUVD-2025-32691

CVE Published

Oct 01, 2025 - 19:15 nvd

HIGH 7.1

Description

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Analysis

Technical Context

SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized queries.

Affected Products

Affected products: Djangoproject Django

Remediation

Use parameterized queries or prepared statements. Apply input validation and escape special characters. Implement least-privilege database accounts.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

Vendor Status

Ubuntu

Priority: Medium

python-django

Release	Status	Version
upstream	released	4.2.25,5.1.13,5.2.7
bionic	released	1:1.11.11-1ubuntu1.21+esm12
focal	released	2:2.2.12-1ubuntu0.29+esm4
jammy	released	2:3.2.12-2ubuntu1.22
noble	released	3:4.2.11-1ubuntu1.11
plucky	released	3:4.2.18-1ubuntu1.5
trusty	released	1.6.11-0ubuntu1.3+esm8
xenial	released	1.8.7-1ubuntu5.15+esm9
questing	released	3:5.2.4-1ubuntu2

USN-7794-1

Debian

Bug #1116979

python-django

Release	Status	Fixed Version	Urgency
bullseye	fixed	2:2.2.28-1~deb11u9	-
bullseye (security)	fixed	2:2.2.28-1~deb11u12	-
bookworm	fixed	3:3.2.25-0+deb12u1	-
bookworm (security)	fixed	3:3.2.25-0+deb12u2	-
trixie	fixed	3:4.2.27-0+deb13u1	-
trixie (security)	fixed	3:4.2.28-0+deb13u1	-
forky, sid	fixed	3:4.2.29-1	-
(unstable)	fixed	3:4.2.25-1	-

DLA-4324-1 DSA-6117-1 DSA-6136-1

CVE-2025-59681 vulnerability details – vuln.today

Back

CVE-2025-59681

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-59681

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code