EXECUTIVE SUMMARY:
Two high-severity vulnerabilities have been identified in Django, tracked as CVE-2025-64458 and CVE-2025-64459. These flaws affect multiple versions of the Django web framework and could enable attackers to perform denial-of-service (DoS) or SQL injection attacks against vulnerable deployments.
- CVE-2025-64458: This vulnerability exists in the file upload handling mechanism, where improper input validation in multipart form data parsing could allow remote attackers to trigger a denial-of-service (DoS) condition. By sending specially crafted HTTP requests with large or malformed multipart payloads, an attacker could cause excessive resource consumption and application downtime. CVSS v3.1 score is 7.5 (High).
- CVE-2025-64459: This SQL injection flaw arises from unsafe query construction in Django’s ORM when processing specific lookups with user-controlled input. A remote, unauthenticated attacker could exploit this flaw to execute arbitrary SQL commands on the underlying database, potentially leading to data exposure, corruption, or full compromise of the backend system. CVSS v3.1 score is 9.1 (Critical).
These vulnerabilities pose significant risks to web applications built with Django, especially those that accept user input or handle file uploads.
RECOMMENDATION:
We strongly recommend you update Django to versions 5.2.8, 5.1.14, or 4.2.26.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/django-team-patches-high-severity-sql-injection-flaw-cve-2025-64459-and-dos-bug-cve-2025-64458-in-latest-security-update/
