VDB
BIT-django-2025-57833
BIT-django-2025-57833
PUBLISHED
CVSS 8.100000381469727 HIGH
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Risk Scores
CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | django | 4.2.0, 5.1.0, 5.2.0 |
Exploit Intelligence
- CVE-2025-57833 PoC (취약한 도서 검색 서비스) (github-poc)
- Analysis and reproduction of CVE-2025-57833 (github-poc)
- loic-houchi/Django-faille-CVE-2025-57833_test (github-poc)
- We've set up an environment to test CVE-2025-57833. This environment was built using AI, so it's subject to ongoing modification. (github-poc)
Timeline
- Sep 25, 2025 CVE Published
- Apr 21, 2026 CVE Updated
References
- https://docs.djangoproject.com/en/dev/releases/security/ url
- https://groups.google.com/g/django-announce url
- https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-57833 url
- https://www.djangoproject.com/weblog/2025/sep/03/security-releases/ url
- http://www.openwall.com/lists/oss-security/2025/09/03/3 url
- https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html url