Introduction
Attackers can exploit a single crafted dictionary to compromise the integrity of Django-powered applications that rely on advanced query features. This SQL injection risk is present in a wide range of production environments due to Django's popularity and the broad version range affected.
Django is a leading Python web framework with millions of deployments worldwide, powering high-traffic sites and critical business systems. Its ORM and query construction features are widely used for rapid development and robust data handling.
Technical Information
CVE-2025-57833 is a SQL injection vulnerability in Django's FilteredRelation feature. The vulnerability is present in the handling of column aliases when using the QuerySet.annotate() or QuerySet.alias() methods with Python's dictionary expansion (**kwargs).
The root cause is insufficient validation of dictionary keys and values used as column aliases. When a crafted dictionary is passed via **kwargs, malicious input can be injected into the SQL query as a column alias. This bypasses Django's usual protections against SQL injection, which focus on query parameters rather than structural elements like aliases.
The vulnerability is specifically triggered when user input is used to construct the dictionary passed to these methods, and FilteredRelation is involved in the query. The injection occurs during the SQL generation phase, where the unsanitized alias is incorporated directly into the query string.
No public code snippets are available, but the vulnerability is rooted in the path that processes column aliases for FilteredRelation when combined with dictionary expansion.
Patch Information
To address the SQL injection vulnerability identified in FilteredRelation column aliases (CVE-2025-57833), the Django team has implemented a patch that introduces stricter validation of column alias inputs. This enhancement ensures that any dictionary passed to QuerySet.annotate() or QuerySet.alias() undergoes thorough validation, effectively mitigating the risk of SQL injection attacks.
The core of this patch involves refining the internal mechanisms that handle column aliases within FilteredRelation. By enforcing stringent checks on the structure and content of the provided dictionaries, the patch prevents maliciously crafted inputs from compromising the application's security.
This update has been integrated into the following Django versions:
- Django 5.2.6
- Django 5.1.12
- Django 4.2.24
Developers are strongly encouraged to upgrade to these versions to benefit from the enhanced security measures. By doing so, applications will be safeguarded against potential SQL injection exploits targeting FilteredRelation column aliases.
Patch source: Django Security Releases 2025-09-03
Affected Systems and Versions
The following Django versions are affected by CVE-2025-57833:
- Django 4.2 before 4.2.24
- Django 5.1 before 5.1.12
- Django 5.2 before 5.2.6
Any application using FilteredRelation in combination with QuerySet.annotate() or QuerySet.alias() that accepts user input for dictionary expansion is at risk.
Vendor Security History
Django has a history of rapid and transparent responses to security issues. Previous vulnerabilities have included SQL injection and denial of service flaws, all of which have been addressed with timely patches and clear advisories. The Django Software Foundation maintains a mature security process, with regular security releases and a strong focus on secure defaults and best practices.