The development team has officially released essential security updates to address two significant vulnerabilities found in the popular web framework.
These issues range from high to moderate severity. They could allow attackers to compromise database integrity or crash servers through resource exhaustion.
The most critical flaw, tracked as CVE-2025-13372, is a high-severity SQL injection vulnerability affecting projects that use PostgreSQL. The issue lies within the FilteredRelation class, specifically how it handles column aliases.
Attackers can exploit this by crafting a specific dictionary (using dictionary expansion) passed to QuerySet.annotate() or QuerySet.alias(). If successful, this manipulation allows malicious SQL code to be injected into the database query.
The second vulnerability, CVE-2025-64460, is a moderate-severity issue involving the XML serializer.
Django discovered that the method django.core.serializers.xml_serializer. getInnerText() suffers from algorithmic complexity issues.
| CVE ID | Vulnerability Type | Severity |
|---|---|---|
| CVE-2025-13372 | SQL Injection | High |
| CVE-2025-64460 | Denial of Service (DoS) | Moderate |
When an application processes specially crafted XML input, the serializer repeatedly concatenates strings as it collects text nodes.
Django has released security updates 5.2.9, 5.1.15, and 4.2.27, and developers are strongly advised to upgrade right away to avoid possible attacks.
This recursive process can lead to “superlinear” computation time, causing the server’s CPU and memory usage to spike.
A remote attacker could use this to trigger a denial-of-service (DoS) attack, effectively crashing the service or making it unresponsive.
These vulnerabilities affect all supported versions of Django, including the main branch and the upcoming Django 6.0 (currently in release candidate status).
Developers using the main branch or the Django 6.0 release candidate should pull the latest commits from the official repository to ensure their projects are secure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Multiple Django Vulnerabilities Enables SQL Injection and Denial-of-Service Attacks appeared first on Cyber Security News.