PyPI: django

CVE-2025-64459

Safety vulnerability ID: SFTY-20251105-89670

Safety legacy ID: pyup.io-81270

CVE-2025-64459: Affected versions of the Django package are vulnerable to SQL Injection due to improper input validation, allowing the internal _connector keyword argument to be accepted from untrusted dictionaries via expansion. The .filter(), .exclude(), and .get() methods on QuerySet, as well as the Q class, resolve **kwargs and will treat a supplied _connector value as the logical connector without constraining it to the expected set (AND/OR), permitting attacker-controlled tokens to influence SQL predicate construction.

PythonPyPINVDNVDGitHubGHSA
Created at: Nov 27, 2025Updated at: Nov 27, 2025

Overview

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.

Advisory

CVE-2025-64459: Affected versions of the Django package are vulnerable to SQL Injection due to improper input validation, allowing the internal _connector keyword argument to be accepted from untrusted dictionaries via expansion. The .filter(), .exclude(), and .get() methods on QuerySet, as well as the Q class, resolve **kwargs and will treat a supplied _connector value as the logical connector without constraining it to the expected set (AND/OR), permitting attacker-controlled tokens to influence SQL predicate construction.

Affected Package

Affecting django package, versions
<4.2.26
>=5.1a1,<5.1.14
>=5.2a1,<5.2.8

Also affects

---

How to Fix

Upgrade
django
to
4.2.26
5.1.14
5.2.8
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more