Django is vulnerable to SQL injection in column aliases

🗓️ 02 Dec 2025 18:30:35Reported by GitHub Advisory DatabaseType

FilteredRelation column aliases are vulnerable to dictionary expansion in annotate or alias for specific Django versions.

Reporter	Title	Published	Views	Family All 85
AlpineLinux	CVE-2025-13372	2 Dec 202515:13	–	alpinelinux
Chainguard	CVE-2025-13372 vulnerabilities	10 Dec 202501:30	–	cgr
Circl	CVE-2025-13372	2 Dec 202514:49	–	circl
CNNVD	Django 安全漏洞	2 Dec 202500:00	–	cnnvd
CVE	CVE-2025-13372	2 Dec 202515:13	–	cve
Cvelist	CVE-2025-13372 Potential SQL injection in FilteredRelation column aliases on PostgreSQL	2 Dec 202515:13	–	cvelist
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses django-4.2.26-py3-none-any.whl which are vulnerable to CVE-2025-13372, CVE-2025-64460.	30 Jan 202605:45	–	ibm
Debian	[SECURITY] [DSA 6117-1] python-django security update	31 Jan 202612:32	–	debian
Debian	[SECURITY] [DSA 6136-1] python-django security update	15 Feb 202621:52	–	debian
Debian CVE	CVE-2025-13372	2 Dec 202515:13	–	debiancve

Vulners

Node

django_project djangoRange4.2a1–4.2.27pip

django_project djangoRange5.1a1–5.1.15pip

django_project djangoRange5.2a1–5.2.9pip

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-13372
docs	www.docs.djangoproject.com/en/dev/releases/security
groups	www.groups.google.com/g/django-announce
djangoproject	www.djangoproject.com/weblog/2025/dec/02/security-releases
github	www.github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
github	www.github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
github	www.github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
github	www.github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
github	www.github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
github	www.github.com/advisories/GHSA-rqw2-ghq9-44m7

03 Dec 2025 14:07Current

8High risk

Vulners AI Score8

CVSS 3.14.3

EPSS0.00006

SSVC