CVE-2025-59681: 
Django vulnerability analysis and mitigation

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The vulnerability affects QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods when using MySQL and MariaDB databases. The vulnerability was discovered by sw0rd1ight and publicly disclosed on October 1, 2025 (Django Weblog).

The vulnerability allows SQL injection attacks through column aliases when using a specially crafted dictionary with dictionary expansion as **kwargs passed to the affected QuerySet methods (annotate(), alias(), aggregate(), and extra()) specifically on MySQL and MariaDB backends. The issue has been rated as 'High' severity according to Django's security policy. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N (NVD).

The SQL injection vulnerability could allow attackers to manipulate SQL queries, potentially leading to unauthorized data access or data manipulation in Django applications running on MySQL and MariaDB databases. The CVSS score indicates high confidentiality impact and low integrity impact, with no availability impact (Security Online).

The Django team has released patched versions to address this vulnerability: Django 5.2.7, Django 5.1.13, and Django 4.2.25. Users are strongly encouraged to upgrade to these versions immediately. The fixes have been applied to Django's main, 6.0 (alpha), 5.2, 5.1, and 4.2 branches (Django Weblog).