CVE-2025-59681 — Vulnetix

CVE-2025-59681 PUBLISHED

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

EPSS 0.01% · 2.7th percentile

Risk Scores

EPSS Score

0.01%

2.7th percentile

Affected Products

Vendor	Product	Versions
Bitnami	django	4.2.0, 5.1.0, 5.2.0
Bitnami	django	5.1.0, 5.2.0, 4.2.0

Timeline

CVE Published
Oct 2, 2025 EPSS Score
Oct 9, 2025 EPSS Score
Oct 15, 2025 EPSS Score
Oct 22, 2025 EPSS Score
Oct 28, 2025 EPSS Score
Nov 4, 2025 EPSS Score
Nov 10, 2025 EPSS Score
Nov 17, 2025 EPSS Score
Nov 23, 2025 EPSS Score
Nov 30, 2025 EPSS Score
Dec 2, 2025 PoC Published

References

https://docs.djangoproject.com/en/dev/releases/security/ url
https://groups.google.com/g/django-announce url
https://nvd.nist.gov/vuln/detail/CVE-2025-59681 url
https://www.djangoproject.com/weblog/2025/oct/01/security-releases/ url
http://www.openwall.com/lists/oss-security/2025/10/01/3 url

Open in Interactive Console →