CVE-2025-13372

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-13372
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13372.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-13372
Aliases
Downstream
Related
Published
2025-12-02T16:15:53.907Z
Modified
2025-12-14T04:48:40.240941Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type
GIT
Repo
https://github.com/django/django
Events
Introduced
879e5d587b84e6fc961829611999431778eb9f6a
Fixed
5948e6657f8cb6aeaab1a5a45640d089230f461a

Affected versions

4.*

4.2
4.2.1
4.2.10
4.2.11
4.2.12
4.2.13
4.2.14
4.2.15
4.2.16
4.2.17
4.2.18
4.2.19
4.2.2
4.2.20
4.2.21
4.2.22
4.2.23
4.2.24
4.2.25
4.2.26
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13372.json"