EUVD-2025-200249

| CVE-2025-13372 MEDIUM
2025-12-02 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 GHSA-rqw2-ghq9-44m7
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 14:04 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 14:04 euvd
EUVD-2025-200249
Patch Released
Mar 15, 2026 - 14:04 nvd
Patch available
CVE Published
Dec 02, 2025 - 16:15 nvd
MEDIUM 4.3

Tags

SQLi PostgreSQL Python Ubuntu Debian Django Redhat Suse

Description

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Analysis

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Technical Context

SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized queries.

Affected Products

Affected products: Djangoproject Django

Remediation

A vendor patch is available — apply it immediately. Use parameterized queries or prepared statements. Apply input validation and escape special characters. Implement least-privilege database accounts.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Vendor Status

Ubuntu

Priority: Medium
python-django
Release Status Version
trusty not-affected code not present
xenial not-affected code not present
bionic not-affected code not present
upstream needs-triage -
focal released 2:2.2.12-1ubuntu0.29+esm6
jammy released 2:3.2.12-2ubuntu1.24
noble released 3:4.2.11-1ubuntu1.13
plucky released 3:4.2.18-1ubuntu1.7
questing released 3:5.2.4-1ubuntu2.2
USN-7903-1

Debian

Bug #1121788
python-django
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 2:2.2.28-1~deb11u12 -
bookworm fixed 3:3.2.25-0+deb12u1 -
bookworm (security) fixed 3:3.2.25-0+deb12u2 -
trixie (security), trixie fixed 3:4.2.28-0+deb13u1 -
forky, sid fixed 3:4.2.29-1 -
trixie fixed 3:4.2.27-0+deb13u1 -
(unstable) fixed 3:4.2.27-1 -
DSA-6117-1 DSA-6136-1

Share

EUVD-2025-200249 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy