The Django team has issued new releases for the popular Python web framework, addressing two that could lead to SQL injection and directory traversal attacks. The patched versions are Django 5.2.7, Django 5.1.13, and Django 4.2.25, with fixes also applied to the framework’s main and 6.0 alpha branches.
The most severe issue, tracked as CVE-2025-59681, affects MySQL and MariaDB backends. According to the advisory, “QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB.”
This is rated High severity under the Django policy. A successful exploit could allow attackers to manipulate SQL queries, potentially leading to data exposure or corruption in Django applications running on affected databases.
The second , CVE-2025-59682, is less severe but still concerning. It involves the django.utils.archive.extract() function, which is used by startapp –template and startproject –template.
The advisory warns: “The django.utils.archive.extract() function … allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory.”
This is rated Low severity, but in certain environments, it could be abused to overwrite files during project setup if malicious templates are used.
Both impact the following supported Django versions:
- Django main
- Django 6.0 (alpha)
- Django 5.2
- Django 5.1
- Django 4.2
The Django team has released patched versions to resolve the issues:
- Django 5.2.7
- Django 5.1.13
- Django 4.2.25
The advisory strongly recommends upgrading immediately: “We encourage all users of Django to upgrade as soon as possible.”
For developers unable to upgrade right away, reviewing code for potential misuse of the affected functions and restricting the use of untrusted project templates are recommended mitigation steps.
- PoC Released: Django SQL Injection Flaw with Technical Details
- CVE-2025-57833: A New SQL Injection Flaw Puts Django Web Applications at Risk
- Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8)
- Misconfigured Django apps leak database passwords and API keys for nearly 30,000 servers
