DEBIAN-CVE-2025-13372

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-13372

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13372.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-13372

Upstream

CVE-2025-13372

Published

2025-12-02T16:15:53.907Z

Modified

2025-12-30T00:15:23.420897Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

References

https://security-tracker.debian.org/tracker/CVE-2025-13372

Affected packages

Debian:12 / python-django

Package

Name: python-django
Purl: pkg:deb/debian/python-django?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3:3.*

3:3.2.19-1

3:3.2.19-1+deb12u1~bpo11+1

3:3.2.19-1+deb12u1

3:3.2.19-1+deb12u2

3:3.2.20-1

3:3.2.20-1.1

3:3.2.21-1

3:4.*

3:4.1-1

3:4.1.1-1

3:4.1.2-1

3:4.1.3-1

3:4.1.4-1

3:4.1.5-1

3:4.2~alpha1-1

3:4.2~beta1-1

3:4.2~rc1-1

3:4.2-1

3:4.2.1-1

3:4.2.2-1

3:4.2.3-1

3:4.2.4-1

3:4.2.5-1

3:4.2.5-2

3:4.2.6-1

3:4.2.8-1

3:4.2.9-1

3:4.2.10-1

3:4.2.11-1

3:4.2.13-1

3:4.2.14-1

3:4.2.15-1~bpo12+1

3:4.2.15-1

3:4.2.16-1

3:4.2.17-1

3:4.2.17-2

3:4.2.18-1~bpo12+1

3:4.2.18-1

3:4.2.19-1~bpo12+1

3:4.2.19-1

3:4.2.20-1~bpo12+1

3:4.2.20-1

3:4.2.21-1~bpo12+1

3:4.2.21-1

3:4.2.22-1

3:4.2.23-1

3:4.2.24-1

3:4.2.25-1

3:4.2.25-2

3:4.2.26-1

3:4.2.27-1

3:4.2.27-2

3:5.*

3:5.0~alpha1-1

3:5.0~rc1-1

3:5.0-1

3:5.0.1-1

3:5.0.2-1

3:5.0.3-1

3:5.0.4-1

3:5.0.6-1

3:5.1~alpha1-1

3:5.1~beta1-1

3:5.1~rc1-1

3:5.1-1

3:5.1.1-1

3:5.1.2-1

3:5.1.3-1

3:5.1.4-1

3:5.1.5-1

3:5.2~alpha1-1

3:5.2~beta1-1

3:5.2~rc1-1

3:5.2-1

3:5.2.1-1

3:5.2.2-1

3:5.2.3-1

3:5.2.4-1

3:5.2.5-1

3:5.2.6-1

3:6.*

3:6.0~alpha1-1

3:6.0~beta1-1

3:6.0~rc1-1

3:6.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13372.json"

Debian:13 / python-django

Package

Name: python-django
Purl: pkg:deb/debian/python-django?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*

3:4.2.23-1

3:4.2.24-1

3:4.2.25-1

3:4.2.25-2

3:4.2.26-1

3:4.2.27-1

3:4.2.27-2

3:5.*

3:5.0~alpha1-1

3:5.0~rc1-1

3:5.0-1

3:5.0.1-1

3:5.0.2-1

3:5.0.3-1

3:5.0.4-1

3:5.0.6-1

3:5.1~alpha1-1

3:5.1~beta1-1

3:5.1~rc1-1

3:5.1-1

3:5.1.1-1

3:5.1.2-1

3:5.1.3-1

3:5.1.4-1

3:5.1.5-1

3:5.2~alpha1-1

3:5.2~beta1-1

3:5.2~rc1-1

3:5.2-1

3:5.2.1-1

3:5.2.2-1

3:5.2.3-1

3:5.2.4-1

3:5.2.5-1

3:5.2.6-1

3:6.*

3:6.0~alpha1-1

3:6.0~beta1-1

3:6.0~rc1-1

3:6.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13372.json"

Debian:14 / python-django

Package

Name: python-django
Purl: pkg:deb/debian/python-django?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3:4.2.27-1

Affected versions

3:4.*

3:4.2.23-1

3:4.2.24-1

3:4.2.25-1

3:4.2.25-2

3:4.2.26-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13372.json"