CVE-2025-57833: 
Django vulnerability analysis and mitigation

A high-severity SQL injection vulnerability (CVE-2025-57833) was discovered in Django versions 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. The vulnerability affects the FilteredRelation functionality when handling column aliases in SQL queries (Django Security, NVD).

The vulnerability exists in Django's FilteredRelation feature where SQL injection is possible through column aliases. The attack vector involves using a specially crafted dictionary with dictionary expansion as the **kwargs parameter passed to QuerySet.annotate() or QuerySet.alias() methods. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N (NVD).

The SQL injection vulnerability could allow attackers to perform unauthorized database operations, potentially leading to data theft or manipulation. The CVSS scoring indicates high confidentiality impact and low integrity impact, with no availability impact (Security Online).

The Django team has released patched versions to address this vulnerability: Django 5.2.6, Django 5.1.12, and Django 4.2.24. Users are strongly encouraged to upgrade to these versions immediately. The fixes have been applied to Django's main, 5.2, 5.1, and 4.2 branches (Django Security).