CVE-2025-57833: Django: Potential SQL injection in FilteredRelation column aliases

[Sarah Boyce <sarahboyce () djangoproject com>]

* Announce link:
https://www.djangoproject.com/weblog/2025/sep/03/security-releases/

* Announce content:

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django
team
is issuing releases for
`Django 5.2.6 <https://docs.djangoproject.com/en/dev/releases/5.2.6/>`_,
`Django 5.1.12 <https://docs.djangoproject.com/en/dev/releases/5.1.12/>`_,
and
`Django 4.2.24 <https://docs.djangoproject.com/en/dev/releases/4.2.24/>`_.
These releases address the security issues detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases
==========================================================================

``FilteredRelation`` was subject to SQL injection in column aliases, using
a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed ``QuerySet.annotate()`` or ``QuerySet.alias()``.

Thanks to Eyal Gabay (EyalSec) for the report.

This issue has severity "high" according to the Django security policy.


Affected supported versions
===========================

* Django main
* Django 5.2
* Django 5.1
* Django 4.2

Resolution
==========

Patches to resolve the issue have been applied to Django's
main, 5.2, 5.1, and 4.2 branches.
The patches may be obtained from the following changesets.

CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases
--------------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/51711717098d3f469f795dfa6bc3758b24f69ef7
> `__
* On the `5.2 branch <
https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
> `__
* On the `5.1 branch <
https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5
> `__
* On the `4.2 branch <
https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
> `__


The following releases have been issued
=======================================

* Django 5.2.6 (`download Django 5.2.6
  <https://www.djangoproject.com/download/5.2.6/tarball/>`_ |
  `5.2.6 checksums
  <https://www.djangoproject.com/download/5.2.6/checksum/>`_)
* Django 5.1.12 (`download Django 5.1.12
  <https://www.djangoproject.com/download/5.1.12/tarball/>`_ |
  `5.1.12 checksums
  <https://www.djangoproject.com/download/5.1.12/checksum/>`_)
* Django 4.2.24 (`download Django 4.2.24
  <https://www.djangoproject.com/download/4.2.24/tarball/>`_ |
  `4.2.24 checksums
  <https://www.djangoproject.com/download/4.2.24/checksum/>`_)

The PGP key ID used for this release is : `3955B19851EA96EF <
https://github.com/sarahboyce.gpg>`_


General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via private
email
to ``security () djangoproject com``, and not via Django's Trac instance, nor
via
the Django Forum. Please see `our security policies
<https://www.djangoproject.com/security/>`_ for further information.

* Machine-readable CVE data for CVE-2025-57833:
{
  "affected": [
    {
      "collectionURL": "https://github.com/django/django/";,
      "defaultStatus": "affected",
      "packageName": "django",
      "versions": [
        {
          "lessThan": "5.2.6",
          "status": "affected",
          "version": "5.2.0",
          "versionType": "semver"
        },
        {
          "lessThan": "5.2.*",
          "status": "unaffected",
          "version": "5.2.6",
          "versionType": "semver"
        },
        {
          "lessThan": "5.1.12",
          "status": "affected",
          "version": "5.1.0",
          "versionType": "semver"
        },
        {
          "lessThan": "5.1.*",
          "status": "unaffected",
          "version": "5.1.12",
          "versionType": "semver"
        },
        {
          "lessThan": "4.2.24",
          "status": "affected",
          "version": "4.2.0",
          "versionType": "semver"
        },
        {
          "lessThan": "4.2.*",
          "status": "unaffected",
          "version": "4.2.24",
          "versionType": "semver"
        }
      ]
    }
  ],
  "credits": [
    {
      "lang": "en",
      "type": "reporter",
      "value": "Django would like to thank Eyal Gabay (EyalSec) for
reporting this issue."
    }
  ],
  "datePublic": "09/03/2025",
  "descriptions": [
    {
      "lang": "en",
      "value": "FilteredRelation is subject to SQL injection in column
aliases, using a suitably crafted dictionary, with dictionary expansion, as
the **kwargs passed QuerySet.annotate() or QuerySet.alias()."
    }
  ],
  "metrics": [
    {
      "other": {
        "content": {
          "namespace": "
https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels
",
          "value": "high"
        },
        "type": "Django severity rating"
      }
    }
  ],
  "references": [
    {
      "name": "Django security releases issued: 5.2.6, 5.1.12, and 4.2.24",
      "tags": [
        "vendor-advisory"
      ],
      "url": "
https://www.djangoproject.com/weblog/2025/sep/03/security-releases/";
    }
  ],
  "timeline": [
    {
      "lang": "en",
      "time": "2025-09-03T13:00:00+00:00",
      "value": "Made public."
    }
  ],
  "title": "Potential SQL injection in FilteredRelation column aliases"
}