Threat Advisory

Django Flaw Exposes Applications to SQL Injection Attacks

Threat: Vulnerability
Threat Actor Name: -
Threat Actor Type: -
Targeted Region: Global
Alias: -
Threat Actor Region: -
Targeted Sector: Technology & IT
Criticality: High

EXECUTIVE SUMMARY:

Researcher have been released for a popular Python web framework addressing two vulnerabilities affecting multiple supported versions, including main, 6.0 alpha, 5.2, 5.1, and 4.2. The most critical issue allows SQL injection through certain QuerySet methods on MySQL and MariaDB backends, potentially exposing or corrupting application data. The second vulnerability involves a directory extraction function that could enable partial directory traversal, allowing attackers to overwrite files during project setup with malicious templates. Updated versions contain the necessary patches, and users are strongly encouraged to upgrade or implement mitigations to reduce risk.

 

  • CVE-2025-59681 – SQL injection with a CVSS score of 7.5, allows attackers to manipulate SQL queries using crafted dictionary expansions on MySQL and MariaDB.

 

  • CVE-2025-59682 – Directory traversal with a CVSS score of 3.3, allows partial directory traversal via the archive extraction function, potentially overwriting files during project setup when malicious templates are used.

 

Both vulnerabilities pose risks to applications relying on the affected framework, with one enabling SQL injection and the other allowing limited directory traversal. Immediate upgrades to the patched versions are strongly recommended to prevent exploitation.

RECOMMENDATION:

We strongly recommend you update Django web framework to below versions:

  • Django 5.2.7
  • Django 5.1.13
  • Django 4.2.25

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/django-security-alert-high-severity-sql-injection-flaw-cve-2025-59681-fixed-in-latest-updates/

crossmenu