The Django security team released critical patches on November 5, 2025, addressing two significant vulnerabilities affecting multiple versions of the popular Python web framework.
Django 5.2.8, 5.1.14, and 4.2.26 now include fixes for CVE-2025-64458 and CVE-2025-64459, vulnerabilities that could allow attackers to launch denial-of-service attacks and execute SQL injection exploits through carefully crafted inputs.
Critical SQL Injection Vulnerability in Query Operations
The more severe vulnerability, CVE-2025-64459, presents a high-risk SQL injection flaw affecting Django’s core query functionality.
Attackers can exploit the QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() methods by leveraging a malicious _connector keyword argument.
When developers use dictionary expansion with these methods, the insufficient input validation creates an opening for SQL injection attacks.
This vulnerability impacts Django versions 5.2, 5.1, 4.2, and the beta version 6.0, making it a widespread concern across the framework’s user base.
The security team addressed the issue through patches applied across all affected branches, with detailed changesets available on the Django GitHub repository.
CVE-2025-64458 targets Windows deployments specifically, exploiting performance issues in Python’s NFKC Unicode normalization process.
The vulnerability affects HttpResponseRedirect and HttpResponsePermanentRedirect functions, which process user input containing large numbers of Unicode characters.
On Windows systems, this normalization operation is substantially slower than on other platforms, creating a denial-of-service vector where attackers could send specially crafted requests with excessive Unicode characters to consume server resources and degrade application performance.
While classified as moderate severity, this vulnerability remains important for Windows-based Django installations.
All Django users should prioritize upgrading to the patched versions immediately.
The security team encourages prompt adoption of Django 5.2.8, 5.1.14, or 4.2.26, depending on which version your project currently uses.
The patches are available for download on the official Django website, along with verified checksums for secure installation.
Organizations running older versions of Django should evaluate their update strategy and plan migrations to supported versions containing these critical security fixes.
| CVE ID | Vulnerability Type | Affected Component | CVSS Score | Attack Vector | Patched Versions |
|---|---|---|---|---|---|
| CVE-2025-64458 | Denial of Service | HttpResponseRedirect, HttpResponsePermanentRedirect | 5.3 (Moderate) | Unicode character normalization via NFKC | 5.2.8, 5.1.14, 4.2.26 |
| CVE-2025-64459 | SQL Injection | QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), Q() | 8.6 (High) | Crafted dictionary with _connector argument | 5.2.8, 5.1.14, 4.2.26 |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1068,580&ssl=1&description=Django 5.2.8, 5.1.14, and 4.2.26 now include fixes for CVE-2025-64458 and CVE-2025-64459, vulnerabilities){kind=link}