CVE-2025-57833

Description

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

How to fix CVE-2025-57833

To remediate CVE-2025-57833, upgrade the affected package to a fixed version below.

• —upgrade to 4.2.24 or later
• —upgrade to 2:2.2.28-1~deb11u8 or later
• —upgrade to 2:2.2.28-1~deb11u8 or later
• —upgrade to 4.2.24 or later
• —upgrade to 4.2.24 or later

Is CVE-2025-57833 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• >= 4.2.0, < 4.2.24, >= 5.1.0, < 5.1.12, >= 5.2.0, < 5.2.6
• from 0, < 2:2.2.28-1~deb11u8
• from 0, < 2:2.2.28-1~deb11u8
• from 0, < 4.2.24
• >= 4.2, < 4.2.24, >= 5.1, < 5.1.12, >= 5.2, < 5.2.6

CVSS scores

References (16)

• ADVISORYdocs.djangoproject.com/en/dev/releases/security/
• ADVISORYgithub.com/advisories/GHSA-6w2r-r2m5-xq5w
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-57833
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-57833
• ADVISORY