Critical SQL Injection Flaw in Django Framework Puts Web Apps at Risk

Django Patches Critical SQL Injection Vulnerability (CVE-2025-64459) with 9.1 CVSS Score

CRITICAL
November 6, 2025
5m read
VulnerabilityPatch ManagementThreat Intelligence

Related Entities

Products & Tech

Django

CVE Identifiers

CVE-2025-64459
CRITICAL
CVSS:9.1
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1505Initial Access

SQL Injection

T1190Initial Access

Exploit Public-Facing Application

Full Report

Executive Summary

On November 5, 2025, the Django security team disclosed and patched a critical SQL injection vulnerability, CVE-2025-64459. The flaw has a CVSS v3.1 score of 9.1, reflecting its severity and ease of exploitation. It exists within the framework's Object-Relational Mapping (ORM) component and can be triggered when a dictionary with dictionary expansion is used as a _connector argument in specific QuerySet methods. An unauthenticated attacker could exploit this to execute arbitrary SQL commands, leading to a complete compromise of the application's data confidentiality and integrity. Patches have been released in Django versions 5.2.8, 5.1.14, and 4.2.26. All organizations using affected Django versions are urged to upgrade immediately.

Vulnerability Details

The vulnerability CVE-2025-64459 is a classic SQL injection flaw but with a novel entry point through the Django ORM's internal mechanisms. The flaw resides in how the QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() methods handle dictionary expansion (**kwargs) when used with a specific internal parameter.

An attacker can exploit this by crafting a dictionary where a key is _connector and passing it to one of the vulnerable methods using dictionary expansion. For example: MyModel.objects.filter(**{"_connector": "' OR 1=1 --"})

Normally, the _connector argument is used internally to specify logical operators (AND/OR). However, the vulnerability arises because the framework failed to properly sanitize this parameter when it was supplied through user-controlled dictionary expansion, allowing raw SQL to be injected directly into the WHERE clause of the database query.

A second, less severe denial-of-service vulnerability, CVE-2025-64458, was also patched in the same release, affecting applications on Windows.

Affected Systems

The vulnerability affects the following supported and pre-release versions of Django:

  • Django 5.2 (before version 5.2.8)
  • Django 5.1 (before version 5.1.14)
  • Django 4.2 (before version 4.2.26)
  • Django 6.0 (beta versions)

Older, unsupported versions of Django are also likely to be affected.

Exploitation Status

There are no public reports of in-the-wild exploitation at the time of disclosure. However, the low complexity of the attack and the public availability of technical details mean that exploits are likely to be developed and used quickly. Proactive patching is essential.

Impact Assessment

Successful exploitation of CVE-2025-64459 can have severe consequences, including:

  • Data Exfiltration: Attackers can bypass access controls and read any data from the application's database, including user credentials, personal information, and financial records.
  • Authentication Bypass: An attacker could manipulate login queries to bypass authentication and gain unauthorized access to privileged accounts.
  • Data Modification/Deletion: Attackers could alter or delete records in the database, corrupting data and disrupting business operations.
  • Denial of Service: Malicious queries could be crafted to overload the database server, causing a denial of service.
  • Potential for RCE: Depending on the database configuration and permissions, SQL injection can sometimes be escalated to achieve remote code execution on the database server.

Cyber Observables for Detection

Type Value Description Context Confidence
url_pattern _connector= in query parameters A URL query string containing the _connector parameter could be an indicator of an exploitation attempt. Monitor web server access logs and WAF logs for this specific parameter name. high
log_source Database Query Logs SQL queries containing logical inconsistencies like ... WHERE (' OR 1=1 -- ...) Enable and monitor database query logs for malformed or suspicious SQL statements. high
other Application errors related to malformed SQL queries Unsuccessful exploit attempts may trigger database errors that are logged by the Django application. Monitor application error logs for DatabaseError or similar exceptions. medium

Detection Methods

  1. Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to detect and block SQL injection patterns. A custom rule could be created to block any request containing _connector as a query parameter, as this is not a standard use case.
  2. Static and Dynamic Analysis (SAST/DAST): Use SAST tools to scan Django codebases for instances where user-controlled dictionaries are passed directly to filter(), exclude(), or get() methods. DAST tools can be used to actively probe running applications for the vulnerability.
  3. Code Review: Manually review code that constructs dynamic QuerySet filters based on user input to ensure it does not allow for the injection of the _connector key.

Remediation Steps

  1. Upgrade Django: The primary and most effective remediation is to upgrade to a patched version of the framework. Developers should upgrade according to their current version branch:
    • If on 5.2.x, upgrade to Django 5.2.8
    • If on 5.1.x, upgrade to Django 5.1.14
    • If on 4.2.x, upgrade to Django 4.2.26 This is a direct application of D3-SU: Software Update.
  2. Input Validation (Workaround): If immediate upgrade is not possible, developers must implement strict validation on any user-controlled data that is used to construct a dictionary for QuerySet methods. Ensure that keys like _connector are explicitly stripped out before being passed to the ORM. This is a form of D3-ACH: Application Configuration Hardening.

Timeline of Events

1
November 5, 2025
The Django security team releases patched versions to address CVE-2025-64459 and CVE-2025-64458.
2
November 6, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The most effective mitigation is to upgrade the Django framework to a patched version (4.2.26+, 5.1.14+, or 5.2.8+).

Mapped D3FEND Techniques:

D3-SU

Exploit Protection

M1050enterprise

Implement a Web Application Firewall (WAF) to detect and block common SQL injection patterns in web requests.

Mapped D3FEND Techniques:

D3-AH

Software Configuration

M1054enterprise

As a temporary workaround, sanitize user-controlled input to strip out potentially malicious keys like '_connector' before passing them to the Django ORM.

Mapped D3FEND Techniques:

D3-ACH

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The definitive countermeasure for CVE-2025-64459 is to apply the security patches released by the Django project. This is not a vulnerability that can be reliably mitigated with configuration changes alone. Development teams must immediately identify all applications using vulnerable versions of Django (4.2.x, 5.1.x, 5.2.x) and prioritize their upgrade. The upgrade path is straightforward: pip install --upgrade django==<patched_version>. For example, an application on Django 4.2.25 must be upgraded to 4.2.26. After upgrading, teams must run their full test suite to ensure no regressions were introduced. Given the critical 9.1 CVSS score and the public disclosure of the vulnerability, this should be treated as an emergency patch, bypassing normal development cycles to close the security hole as quickly as possible.

Application Hardening

D3-AHMaps to MITREM1050
D3FEND

In addition to patching, Application Hardening can provide a defense-in-depth posture against SQL injection flaws like CVE-2025-64459. A key component of this is deploying a Web Application Firewall (WAF) in front of all Django applications. The WAF should be configured with a robust, up-to-date ruleset for detecting SQL injection attacks. Specifically for this CVE, a custom WAF rule should be created to inspect all incoming HTTP requests (GET and POST) and block any that contain the string _connector= in the query parameters or request body. Since this is an internal ORM parameter that should never be exposed to or controlled by an end-user, this rule would have a very low false-positive rate and would effectively block exploitation attempts, even before the application itself is patched. This provides a crucial layer of protection while the patching process is underway.

Sources & References

Multiple Django Vulnerabilities Expose Web Applications to SQL Injection and DoS Attacks
BleepingComputerNovember 6, 2025
Critical SQL Injection Vulnerability in Django (CVE-2025-64459)
Endor LabsNovember 6, 2025
CVE-2025-64459
CVE DetailsNovember 5, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

DjangoSQL InjectionVulnerabilityCVE-2025-64459PythonWeb SecurityPatch Management

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next