CVE-2025-64459: 
Django vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2025-64459) was discovered in Django affecting versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The vulnerability was identified in the methods QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), and the class Q(), which are susceptible to SQL injection when using a crafted dictionary with dictionary expansion as the _connector argument. The issue was discovered and reported by cyberstan, with the disclosure date of November 5, 2025 (Django Security).

The vulnerability exists in Django's Object-Relational Mapping (ORM) component, specifically in the handling of the _connector keyword argument in the django.db.models.queryutils.Q class constructor. When methods like QuerySet.filter(), QuerySet.exclude(), or QuerySet.get() are called with a dictionary using the ** expansion syntax, an attacker can control the connector value to inject malicious SQL fragments. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD, Miggo).

The vulnerability allows attackers to perform SQL injection attacks by manipulating the _connector parameter. For example, an attacker could inject SQL fragments such as 'OR 1=1 OR' through HTTP query parameters, potentially gaining unauthorized access to or modifying database contents. This could lead to data breach, data manipulation, or unauthorized access to the application's database (Security Blog).

The vulnerability has been patched in Django versions 5.2.8, 5.1.14, and 4.2.26. The fix implements validation of the connector value, restricting it to only accept legitimate values ('AND', 'OR', 'XOR', or None). Users are strongly encouraged to upgrade to these patched versions immediately. The fix includes input validation that raises a ValueError if the connector value is not one of the allowed values (Django Security).