CVE-2025-57833: 
Django Análise e mitigação de vulnerabilidades

A high-severity SQL injection vulnerability (CVE-2025-57833) was discovered in Django versions 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. The vulnerability exists in FilteredRelation where SQL injection is possible through column aliases when using a specially crafted dictionary with dictionary expansion in the **kwargs passed to QuerySet.annotate() or QuerySet.alias() (Django Security, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N. The issue specifically affects the FilteredRelation functionality when used with selectrelated, where an attacker with control over the FilteredRelation and selectrelated parameters can manipulate SQL queries (Security Online, EyalSec Blog).

The vulnerability can lead to unauthorized data access and potential remote code execution (RCE) specifically on PostgreSQL databases through SQL injection. On other database systems, the impact is limited to SQL injection capabilities. This could allow attackers to access, modify, or exfiltrate sensitive data from the application's database (EyalSec Blog).

The Django team has released patched versions to address this vulnerability: Django 5.2.6, Django 5.1.12, and Django 4.2.24. Users are strongly encouraged to upgrade to these versions immediately. The fixes have been applied to Django's main, 5.2, 5.1, and 4.2 branches (Django Security).

The Django Software Foundation classified this vulnerability as 'high' severity according to their security policy. The security community has shown particular concern due to the unauthenticated nature of the exploit and its potential for RCE on PostgreSQL databases (Security Online).