CVE-2025-13372

MEDIUM4.3EPSS 0.01%

python-django - security update

Published: 12/2/2025Modified: 1/31/2026

Also known as:GHSA-rqw2-ghq9-44m7 DSA-6117-1BIT-django-2025-13372DEBIAN-CVE-2025-13372DEBIAN-CVE-2025-57833DEBIAN-CVE-2025-59681DEBIAN-CVE-2025-59682DEBIAN-CVE-2025-64459DEBIAN-CVE-2025-64460PYSEC-2025-104

Description

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Affected packages (5)

Bitnami/django>= 4.2.0, < 4.2.27, >= 5.1.0, < 5.1.15, >= 5.2.0, < 5.2.9
Debian/python-djangofrom 0, < 3:3.2.25-0+deb12u1
Debian/python-djangofrom 0, < 3:4.2.27-0+deb13u1
PyPI/django>= 5.2a1, < 5.2.9
PyPI/django>= 4.2, < 4.2.27, >= 5.1, < 5.1.15, >= 5.2, < 5.2.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Description

Affected packages (5)

CVSS scores

References (13)