Overview
CVE-2025-13372 identifies a medium-severity SQL injection vulnerability found in Django versions 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. The flaw resides within the FilteredRelation functionality and can be exploited through carefully crafted dictionaries used in conjunction with dictionary expansion (**kwargs) when calling QuerySet.annotate() or QuerySet.alias() on PostgreSQL databases.
Technical Details
The vulnerability stems from insufficient sanitization when handling column aliases in FilteredRelation. An attacker can manipulate the **kwargs dictionary passed to QuerySet.annotate() or QuerySet.alias() to inject malicious SQL code into the generated query. Specifically, the vulnerability is triggered when using dictionary expansion. This allows an attacker to control portions of the SQL query related to column aliases, leading to arbitrary code execution on the database server. While the reported versions are 5.2, 5.1 and 4.2, older unsupported Django branches like 5.0.x, 4.1.x, and 3.2.x *may* also be vulnerable, but have not been officially assessed.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13372 a score of 4.3, indicating a MEDIUM severity. This score is derived from the following factors (Base Score):
- Attack Vector: Network (AV:N)
- Attack Complexity: High (AC:H)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality Impact: None (C:N)
- Integrity Impact: Low (I:L)
- Availability Impact: None (A:N)
While the attack requires a high degree of complexity to craft a successful exploit, the potential for data modification justifies the medium severity rating.
Possible Impact
Successful exploitation of this vulnerability could lead to:
- Data Manipulation: An attacker could potentially modify sensitive data within the database.
- Information Disclosure: Although the CVSS score indicates no direct confidentiality impact, complex SQL injection attacks can sometimes be chained to extract sensitive information.
- Denial of Service: While the primary CVSS score doesn’t reflect this, depending on the database configuration and injected SQL, a denial-of-service condition is conceivable by injecting resource-intensive queries.
Mitigation and Patch Steps
To address this vulnerability, it is highly recommended to upgrade your Django installation to one of the following patched versions:
- Django 5.2.9 or later
- Django 5.1.15 or later
- Django 4.2.27 or later
If upgrading is not immediately feasible, carefully review all instances where FilteredRelation is used in conjunction with QuerySet.annotate() or QuerySet.alias(), particularly when accepting user-supplied data to construct the **kwargs dictionary. Implement robust input validation and sanitization to prevent malicious SQL code from being injected into the column aliases. Consider using parameterized queries wherever possible to avoid direct SQL string concatenation.
