A serious Django web vulnerability has been identified, prompting immediate action from the Django web framework development team. The flaw, officially registered as CVE-2025-57833, affects the FilteredRelation feature in Django and could allow attackers to carry out SQL injection attacks. This vulnerability has been marked as high severity, and users of affected versions are urged to upgrade without delay.
Decoding the CVE-2025-57833 FilteredRelation 3 Vulnerability
The vulnerability lies within a feature used to simplify complex database queries by adding extra columns to a query based on filter conditions. While the feature adds valuable flexibility for developers, a gap in input validation has now been discovered that could be exploited in dangerous ways.
Specifically, the FilteredRelation functionality failed to properly sanitize dictionary keys when used with QuerySet.annotate() or QuerySet.alias(). This means a malicious actor could pass in a crafted dictionary via keyword arguments (kwargs) that manipulates how column aliases are generated, ultimately inserting arbitrary SQL code directly into the database query.
Such an exploit could expose sensitive data, compromise database integrity, or allow unauthorized changes to records.
Affected Versions and Patches
According to the Django Project, this web vulnerability impacts the following supported versions:
- Django 5.2
- Django 5.1
- Django 4.2
- The main development branch
To address this, the Django team has released patched versions:
- Django 5.2.6
- Django 5.1.12
- Django 4.2.24
These patches eliminate the SQL injection risk by fixing the alias generation logic to prevent unsanitized inputs from being processed.
Official Statement from the Django Team
In an official security release postdated September 3, 2025, the Django Project team, represented by Sarah Boyce, stated:
“In accordance with our security release policy, the Django team is issuing releases for Django 5.2.6, Django 5.1.12, and Django 4.2.24. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.”
The post further details that CVE-2025-57833 was responsibly disclosed by Eyal Gabay from EyalSec, who identified the issue and reported it privately to the Django team.
How to Apply the Fix
The security patches have been merged into Django’s main branch as well as each of the supported release branches. Developers can review and apply the updates using the following commit identifiers:
- Main branch: 51711717098d3f469f795dfa6bc3758b24f69ef7
- 5.2 branch: 4c044fcc866ec226f612c475950b690b0139d243
- 5.1 branch: 102965ea93072fe3c39a30be437c683ec1106ef5
- 4.2 branch: 31334e6965ad136a5e369993b01721499c5d1a92
The new versions can be downloaded from the Django website, and each release is signed using PGP key ID 3955B19851EA96EF for integrity verification.
Before deploying to production, developers are strongly advised to test their applications after applying the patch to ensure compatibility and stability.
Final Recommendation
To protect applications from the high-severity Django web vulnerability identified as CVE-2025-57833, the Django Project urges all users to upgrade immediately to the patched versions, Django 5.2.6, 5.1.12, or 4.2.24, especially if their applications utilize the FilteredRelation feature or manage sensitive data.
This vulnerability stresses the importance of maintaining up-to-date frameworks and implementing proactive security practices. While the quick response from the Django team and security researchers has mitigated the risk, it is ultimately up to developers and organizations to apply the necessary updates and protect their systems against potential SQL injection threats.
