CVE-2025-64459
Published: 05 November 2025
Summary
CVE-2025-64459 is a critical-severity SQL Injection (CWE-89) vulnerability in Djangoproject Django. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and patching of flaws like this SQL injection vulnerability in Django ORM methods.
Requires validation of information inputs to prevent crafted dictionaries from enabling SQL injection via the _connector argument in Django's QuerySet methods.
Enforces boundary protection that can include web application firewalls to block or detect SQL injection attempts targeting the vulnerable Django ORM.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in Django web framework enables remote exploitation of public-facing applications (T1190) and arbitrary SQL queries for data collection from databases (T1213.006).
NVD Description
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as…
more
the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
Deeper analysisAI
CVE-2025-64459 is a SQL injection vulnerability affecting Django, a Python web framework. It impacts versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8, specifically in the ORM methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), as well as the Q() class. The flaw arises when a suitably crafted dictionary, expanded via dictionary expansion, is passed as the _connector argument, enabling SQL injection. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is classified under CWE-89.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Exploitation occurs if untrusted input can influence the _connector argument in the affected ORM methods, allowing attackers to inject and execute arbitrary SQL queries. Successful attacks can result in high confidentiality and integrity impacts, such as unauthorized data access, modification, or extraction from the underlying database.
Django's security advisories recommend upgrading to the patched releases: 5.1.14, 4.2.26, or 5.2.8. Details are available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce group at https://groups.google.com/g/django-announce, and the November 5, 2025 weblog post at https://www.djangoproject.com/weblog/2025/nov/05/security-releases/. The vulnerability was reported by cyberstan.
Details
- CWE(s)