GHSA-6W2R-R2M5-XQ5W Django is subject to SQL injection through its column aliases

🗓️ 08 Sep 2025 18:31:31Reported by GoogleType

osv🔗 osv.dev👁 2 Views

Django is vulnerable to SQL injection via column aliases in FilteredRelation with crafted kwargs in annotate or alias.

Reporter	Title	Published	Views	Family All 128
FreeBSD	Django -- multiple vulnerabilities	1 Sep 202500:00	–	freebsd
GithubExploit	Exploit for CVE-2025-57833	5 Sep 202505:03	–	githubexploit
GithubExploit	Exploit for CVE-2025-57833	9 Sep 202512:08	–	githubexploit
GithubExploit	Exploit for CVE-2025-57833	8 Oct 202521:18	–	githubexploit
AlpineLinux	CVE-2025-57833	3 Sep 202500:00	–	alpinelinux
Chainguard	CVE-2025-57833 vulnerabilities	11 Sep 202514:22	–	cgr
Circl	CVE-2025-57833	3 Sep 202518:23	–	circl
CNNVD	Django SQL注入漏洞	3 Sep 202500:00	–	cnnvd
CVE	CVE-2025-57833	3 Sep 202500:00	–	cve
Cvelist	CVE-2025-57833	3 Sep 202500:00	–	cvelist

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-57833
github	www.github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5
github	www.github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
github	www.github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
docs	www.docs.djangoproject.com/en/dev/releases/security
github	www.github.com/django/django
github	www.github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-105.yaml
groups	www.groups.google.com/g/django-announce
lists	www.lists.debian.org/debian-lts-announce/2025/09/msg00017.html
medium	www.medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898

05 Jun 2026 14:45Current

7.3High risk

Vulners AI Score7.3

CVSS 3.17.1

EPSS0.00074