fix: set Django minimum version to 4.2.26 to address CVE-2025-64459 and CVE-2025-57833#85
Open
maycuatroi1 wants to merge 1 commit intoopenstack:masterfrom
Conversation
CVE-2025-57833 The current lower bound Django>=4.2,<4.3 allows installing versions vulnerable to two SQL injection CVEs: CVE-2025-64459 (CVSS 9.1): SQL injection via Q() and QuerySet.filter() keyword argument unpacking. When _connector or _negated are passed as keys, an attacker can manipulate the WHERE clause logic, enabling authentication bypass and data exfiltration. Fixed in 4.2.26. CVE-2025-57833 (CVSS high): SQL injection via FilteredRelation alias injection in QuerySet.annotate() and QuerySet.alias(). Fixed in 4.2.24. Bumping to >=4.2.26 ensures both CVEs are addressed under the 4.2.x branch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps the Django lower bound from
>=4.2to>=4.2.26inrequirements.txt.Why
The current constraint
Django>=4.2,<4.3allows installing versions affected by two SQL injection CVEs.CVE-2025-64459 (CVSS 9.1)
SQL injection via
Q()andQuerySet.filter()keyword argument unpacking. If_connectoror_negatedare present as keys in user-controlled input passed to these methods, an attacker can manipulate the generated SQLWHEREclause. This enables authentication bypass and unauthorized data access.Fixed in Django 4.2.26, 5.1.14, 5.2.8.
CVE-2025-57833 (CVSS high)
SQL injection via
FilteredRelationalias injection throughQuerySet.annotate()andQuerySet.alias(). Fixed in Django 4.2.24, 5.1.12, 5.2.6.Setting
>=4.2.26covers both CVEs for the 4.2.x branch.Change
References: