CVE-2025-64459 (Critical) detected in Django-3.2.19-py3-none-any.whl, Django-3.2.14-py3-none-any.whl #508
Description
CVE-2025-64459 - Critical Severity Vulnerability
Vulnerable Libraries - Django-3.2.19-py3-none-any.whl, Django-3.2.14-py3-none-any.whl
Django-3.2.19-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/22/af/979a4c610e727cc936c3db3d48cfcb3c270e106ff919f23fc1a27870ba00/Django-3.2.19-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-model-subscription
Path to vulnerable library: /tmp/ws-scm/django-model-subscription
Dependency Hierarchy:
- ❌ Django-3.2.19-py3-none-any.whl (Vulnerable Library)
Django-3.2.14-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c0/a8/4afc7742ad1e506909ce8c5056761f22c8a2db0a8b4a46cfa290b1cd6685/Django-3.2.14-py3-none-any.whl
Dependency Hierarchy:
- ❌ Django-3.2.14-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods "QuerySet.filter()", "QuerySet.exclude()", and "QuerySet.get()", and the class "Q()", are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the "_connector" argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64459
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with Mend here