What security vulnerabilities were patched in Django?

The Django Software Foundation has released security updates patching multiple security vulnerabilities in the Django framework, including at least one critical flaw. The vulnerabilities include CVE-2025-64459, a critical SQL injection vulnerability with a CVSS score of 9.4, and CVE-2025-64458, a denial-of-service vulnerability with a CVSS score of 7.8.

What is CVE-2025-64459?

CVE-2025-64459 is a critical SQL injection vulnerability with a CVSS score of 9.4 affecting the _connector keyword argument in QuerySet and Q objects. The flaw affects QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() methods, as well as the Q() class. Insufficient input validation of the _connector parameter enables attackers to inject arbitrary SQL commands into database queries, potentially enabling unauthorized access to sensitive data, modification of database records, or complete deletion of critical information.

What is CVE-2025-64458?

CVE-2025-64458 is a denial-of-service vulnerability with a CVSS score of 7.8 affecting HttpResponseRedirect and HttpResponsePermanentRedirect on Windows. The execution of NFKC normalization operations in Python when running on Windows systems is much slower compared to other operating systems. Attackers can exploit this performance disparity by crafting malicious HTTP requests containing extraordinarily large numbers of Unicode characters, forcing the normalization process to consume excessive CPU resources and system memory.

What Django methods are affected by the SQL injection vulnerability?

The SQL injection vulnerability CVE-2025-64459 affects QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() methods, as well as the Q() class. All of these methods are vulnerable due to insufficient input validation of the _connector parameter, which allows attackers to inject arbitrary SQL commands into database queries.

What can attackers do by exploiting the Django SQL injection vulnerability?

By exploiting CVE-2025-64459, attackers can inject arbitrary SQL commands into database queries, potentially enabling unauthorized access to sensitive data, modification of database records, or complete deletion of critical information. This critical vulnerability gives attackers significant control over the application's database operations.

Does the Django denial-of-service vulnerability affect all operating systems?

No, CVE-2025-64458 specifically affects HttpResponseRedirect and HttpResponsePermanentRedirect on Windows systems only. The vulnerability exploits the fact that NFKC normalization operations in Python are much slower on Windows compared to other operating systems, creating a platform-specific denial-of-service attack vector.

How does the Django denial-of-service attack work?

Attackers exploit CVE-2025-64458 by crafting malicious HTTP requests containing extraordinarily large numbers of Unicode characters. When Django processes these requests on Windows systems, the NFKC normalization process consumes excessive CPU resources and system memory due to the slower performance on Windows, leading to denial of service.

What patched versions of Django are available?

The patched releases Django 5.2.8, 5.1.14, and 4.2.26 are available for download from the official Django website. These versions contain fixes for both CVE-2025-64459 and CVE-2025-64458.

What should Django users do about these vulnerabilities?

All Django users should schedule upgrades to the patched release based on their deployment version. Users should update to Django 5.2.8, 5.1.14, or 4.2.26 depending on which version series they are currently running.

What is the severity level of the Django SQL injection vulnerability?

CVE-2025-64459 has a CVSS score of 9.4, which is classified as critical severity. This high rating reflects the ease of exploitation, the significant potential impact on data confidentiality and integrity, and the ability for attackers to execute arbitrary SQL commands that could compromise the entire database.

What is the _connector parameter in Django?

The _connector parameter is a keyword argument used in QuerySet and Q objects in Django. The SQL injection vulnerability CVE-2025-64459 exploits insufficient input validation of this parameter, allowing attackers to inject arbitrary SQL commands when this parameter is processed by QuerySet.filter(), QuerySet.exclude(), QuerySet.get() methods, or the Q() class.

What is NFKC normalization in the Django vulnerability?

NFKC normalization is a Unicode text normalization operation that Python performs on certain inputs. In the context of CVE-2025-64458, this operation is significantly slower on Windows systems compared to other operating systems. Attackers exploit this performance difference by sending requests with large numbers of Unicode characters, causing the normalization process to consume excessive resources and create a denial of service.

Is Django 6.0 affected by these vulnerabilities?

Yes, Django 6.0, which is currently in beta status, is affected by both CVE-2025-64459 and CVE-2025-64458. Users running beta versions of Django 6.0 should update to the latest patched version available.

Where can I download the patched Django versions?

The patched releases Django 5.2.8, 5.1.14, and 4.2.26 are available for download from the official Django website. Users should download the appropriate version based on which Django series they are currently running.

What HTTP response classes are affected by the Django DoS vulnerability?

The denial-of-service vulnerability CVE-2025-64458 affects HttpResponseRedirect and HttpResponsePermanentRedirect classes on Windows systems. These classes are used for HTTP redirect responses in Django applications.

What data is at risk from the Django SQL injection vulnerability?

The SQL injection vulnerability CVE-2025-64459 puts all data in the Django application's database at risk. Attackers could potentially gain unauthorized access to sensitive data, modify database records, or completely delete critical information through injected SQL commands. The full scope of data exposure depends on the database permissions and the data stored in the application.

Advisory

Django releases update, patches critical SQL injection flaw and Denial-of-Service condition

Q: Which Django versions are affected by these vulnerabilities?

Affected versions include Django main branch, Django 6.0 (currently in beta status), Django 5.2, Django 5.1, and Django 4.2. Earlier unsupported Django series, including versions 5.0.x, 4.1.x, and 3.2.x, are not formally evaluated by the Django security team and may also be vulnerable to these exploits.

published: Nov. 6, 2025

Take action: If you use Django web framework (versions 4.2, 5.1, or 5.2), plan a quick update to the patched versions (4.2.26, 5.1.14, or 5.2.8). The main problem is the SQL injection flaw. And by design most Django apps are accessible on the internet, so you can't really hide the server from attackers.

Learn More

The Django Software Foundation has released security updates patching multiple security vulnerabilities in the Django framework, at least one critical.

Vulnerabilities summary

CVE-2025-64459 (CVSS score 9.4): SQL injection via _connector keyword argument in QuerySet and Q objects. The flaw affects QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() methods, as well as the Q() class. The insufficient input validation of the _connector parameter enables attackers to inject arbitrary SQL commands into database queries, potentially enabling unauthorized access to sensitive data, modification of database records, or complete deletion of critical information
CVE-2025-64458 (CVSS score 7.8): Denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows. The execution of NFKC normalization operations in Python when running on Windows systems is much slower compared to other operating systems. Attackers can exploit this performance disparity by crafting malicious HTTP requests containing extraordinarily large numbers of Unicode characters, forcing the normalization process to consume excessive CPU resources and system memory.

Affected versions are Django main branch, Django 6.0 (currently in beta status), Django 5.2, Django 5.1, and Django 4.2. Earlier unsupported Django series, including versions 5.0.x, 4.1.x, and 3.2.x, are not formally evaluated by the Django security team and may also be vulnerable to these exploits.

The patched releases Django 5.2.8, 5.1.14, and 4.2.26 are available for download from the official Django website.

All Django users should schedule upgrades to the patched release based on their deployment version.

Django releases update, patches critical SQL injection flaw and Denial-of-Service condition

Read More
GitLab patches multiple account takeover and injection vulnerabilities
Critical vulnerability reported in Java security framework pac4j
Flaw in NVIDIA Isaac Lab enables remote code …
Critical CleanTalk Plugin Vulnerability Allows WordPress Site Takeover …
Critical directory traversal vulnerability reported in React Router …