GHSA-frmv-pr5f-9mcr: Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.

Skip to content

Navigation Menu

• • AI CODE CREATION

    • GitHub CopilotWrite better code with AI

    • GitHub SparkBuild and deploy intelligent apps

    • GitHub ModelsManage and compare prompts

    • MCP RegistryNewDiscover and integrate external tools

View all features

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-64459

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.

Critical severity GitHub Reviewed Published Nov 5, 2025 to the GitHub Advisory Database • Updated Nov 5, 2025

Affected versions

>= 5.2a1, < 5.2.8

>= 5.0a1, < 5.1.14

< 4.2.26

Patched versions

5.2.8

5.1.14

4.2.26

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q(), are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-64459
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2025/nov/05/security-releases
• django/django@06dd383
• django/django@59ae82e
• django/django@6703f36
• django/django@72d2c87

Published to the GitHub Advisory Database

Nov 5, 2025

EPSS score