The Django development team has recently addressed a critical security vulnerability, identified as CVE-2025-57833, which could allow attackers to execute malicious SQL code on web servers utilizing the popular Django framework. This high-severity flaw affects multiple versions of Django, prompting an urgent call for all users to upgrade their installations immediately.
Understanding the Vulnerability
The vulnerability resides within Django’s `FilteredRelation` component, a feature designed to simplify complex database queries by adding extra columns based on filter conditions. While this feature offers valuable flexibility for developers, a gap in input validation was discovered that could be exploited in dangerous ways.
Specifically, the `FilteredRelation` functionality failed to properly sanitize dictionary keys when used with the `QuerySet.annotate()` or `QuerySet.alias()` methods. This oversight means that a malicious actor could pass a specially crafted dictionary via keyword arguments (`kwargs`) that manipulates how column aliases are generated, ultimately inserting arbitrary SQL code directly into the database query.
Such an exploit could expose sensitive data, compromise database integrity, or allow unauthorized changes to records.
Affected Versions and Patches
The following supported versions of Django are affected by this vulnerability:
– Django 5.2
– Django 5.1
– Django 4.2
– The main development branch
To address this issue, the Django team has released patched versions:
– Django 5.2.6
– Django 5.1.12
– Django 4.2.24
These patches eliminate the SQL injection risk by fixing the alias generation logic to prevent unsanitized inputs from being processed.
Official Statement from the Django Team
In an official security release dated September 3, 2025, the Django Project team stated:
In accordance with our security release policy, the Django team is issuing releases for Django 5.2.6, Django 5.1.12, and Django 4.2.24. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.
The post further details that CVE-2025-57833 was responsibly disclosed by Eyal Gabay from EyalSec, who identified the issue and reported it privately to the Django team.
How to Apply the Fix
The security patches have been merged into Django’s main branch as well as each of the supported release branches. Developers can review and apply the updates using the following commit identifiers:
– Main branch: 51711717098d3f469f795dfa6bc3758b24f69ef7
– 5.2 branch: 4c044fcc866ec226f612c475950b690b0139d243
– 5.1 branch: 102965ea93072fe3c39a30be437c683ec1106ef5
– 4.2 branch: 31334e6965ad136a5e369993b01721499c5d1a92
The new versions can be downloaded from the Django website, and each release is signed using PGP key ID 3955B19851EA96EF for integrity verification.
Before deploying to production, developers are strongly advised to test their applications after applying the patch to ensure compatibility and stability.
Final Recommendation
To protect applications from the high-severity Django web vulnerability identified as CVE-2025-57833, the Django Project urges all users to upgrade immediately to the patched versions, Django 5.2.6, 5.1.12, or 4.2.24, especially if their applications utilize the `FilteredRelation` feature or manage sensitive data.
This vulnerability underscores the importance of maintaining up-to-date frameworks and implementing proactive security practices. While the quick response from the Django team and security researchers has mitigated the risk, it is ultimately up to developers and organizations to apply the necessary updates and protect their systems against potential SQL injection threats.
