Django is subject to SQL injection through its column aliases

🗓️ 08 Sep 2025 18:31:31Reported by GitHub Advisory DatabaseType

Django versions before 4.2.24, 5.1.12, and 5.2.6 are vulnerable to injection via FilteredRelation aliases in annotate or alias.

Reporter	Title	Published	Views	Family All 129
FreeBSD	Django -- multiple vulnerabilities	1 Sep 202500:00	–	freebsd
GithubExploit	Exploit for CVE-2025-57833	5 Sep 202505:03	–	githubexploit
GithubExploit	Exploit for CVE-2025-57833	9 Sep 202512:08	–	githubexploit
GithubExploit	Exploit for CVE-2025-57833	8 Oct 202521:18	–	githubexploit
AlpineLinux	CVE-2025-57833	3 Sep 202500:00	–	alpinelinux
BDU FSTEC	The vulnerability of the django.utils.log.log_response() function in the Django web application framework allows a hacker to gain access and modify data in the log file.	5 Jun 202500:00	–	bdu_fstec
Chainguard	CVE-2025-57833 vulnerabilities	11 Sep 202514:22	–	cgr
Circl	CVE-2025-57833	3 Sep 202518:23	–	circl
CNNVD	Django SQL注入漏洞	3 Sep 202500:00	–	cnnvd
CVE	CVE-2025-57833	3 Sep 202500:00	–	cve

Vulners

Node

django_project djangoRange5.2a1–5.2.6pip

django_project djangoRange5.0a1–5.1.12pip

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-57833
docs	www.docs.djangoproject.com/en/dev/releases/security
groups	www.groups.google.com/g/django-announce
medium	www.medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
djangoproject	www.djangoproject.com/weblog/2025/sep/03/security-releases
github	www.github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5
github	www.github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
github	www.github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
lists	www.lists.debian.org/debian-lts-announce/2025/09/msg00017.html
openwall	www.openwall.com/lists/oss-security/2025/09/03/3

05 Jun 2026 14:33Current

8High risk

Vulners AI Score8

CVSS 3.17.1 - 8.1

EPSS0.00074

SSVC