An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Affected Packages

PyPI Django

Affected versions: 4.2 (fixed in 4.2.25)

PyPI Django

Affected versions: 5.1 (fixed in 5.1.13)

PyPI Django

Affected versions: 5.2 (fixed in 5.2.7)

Related CVEs

CVE-2025-59681

Key Information

GHSA ID

GHSA-hpr9-3m2g-3j9p

Published

October 1, 2025 9:31 PM

Last Modified

November 5, 2025 8:47 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

Django

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 23, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.