Multiple Django Vulnerabilities Enable SQL Injection And Dos Attack

Django, one of the most popular Python web development frameworks, has disclosed two critical security vulnerabilities that could allow attackers to execute SQL injection attacks and launch denial-of-service attacks.

The vulnerabilities, identified as CVE-2025-64458 and CVE-2025-64459, affect core components of the framework and require immediate attention from developers using Django in their applications.

The more serious of the two vulnerabilities, CVE-2025-64459, carries a high severity rating and involves a potential SQL injection weakness in Django’s QuerySet and Q objects.

Security researcher Cyberstan discovered that the QuerySet.The filter(), QuerySet.exclude(), and QuerySet.get() methods, along with the Q() class, are vulnerable when processing specially crafted dictionaries that use the _connector keyword argument with dictionary expansion.

This flaw could enable malicious actors to inject arbitrary SQL commands into database queries, potentially compromising sensitive data or gaining unauthorized access to backend systems.

SQL injection remains one of the most dangerous web application vulnerabilities, making this discovery particularly concerning for organizations relying on Django for their web infrastructure.

The second vulnerability, CVE-2025-64458, affects Django installations running on Windows.

Seokchan Yoon from ch4n3.KR identified this moderate-severity denial-of-service weakness in the HttpResponseRedirect and HttpResponsePermanentRedirect functions. The issue stems from slow NFKC normalization in Python on Windows.

Attackers can exploit this performance bottleneck by submitting inputs containing vast numbers of Unicode characters, causing the application to consume excessive resources and potentially become unresponsive.

Although rated moderate severity, this vulnerability could still disrupt services and affect user experience on Windows-based Django deployments.