CVE-2025-57833

django: Django SQL injection in FilteredRelation column aliases

Description

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

INFO

Published Date :

2025-09-03T00:00:00.000Z

Last Modified :

2025-11-04T21:13:19.662Z

Source :

mitre

AFFECTED PRODUCTS

The following products are affected by CVE-2025-57833 vulnerability.

Vendors	Products
Djangoproject	Django

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-57833.

URL	Resource
http://www.openwall.com/lists/oss-security/2025/09/03/3
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html
https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
https://nvd.nist.gov/vuln/detail/CVE-2025-57833
https://www.cve.org/CVERecord?id=CVE-2025-57833
https://www.djangoproject.com/weblog/2025/sep/03/security-releases/

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact