CVE-2025-59681
python-django - security update
7.1
HIGH
CVSS 3.1
EPSS 0.01%
Description
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
How to fix CVE-2025-59681
To remediate CVE-2025-59681, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.25 or later
- —upgrade to 2:2.2.28-1~deb11u9 or later
- —upgrade to 2:2.2.28-1~deb11u9 or later
- —upgrade to 4.2.25 or later
- —upgrade to 4.2.25 or later
Is CVE-2025-59681 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- >= 4.2.0, < 4.2.25, >= 5.1.0, < 5.1.13, >= 5.2.0, < 5.2.7
- from 0, < 2:2.2.28-1~deb11u9
- from 0, < 2:2.2.28-1~deb11u9
- >= 4.2, < 4.2.25
- >= 4.2, < 4.2.25, >= 5.1, < 5.1.13, >= 5.2, < 5.2.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N |