Django Security Releases Address Critical Vulnerabilities: Versions 5.2.9, 5.1.15, and 4.2.27 Issued

Software Security

Django's latest security releases (5.2.9, 5.1.15, 4.2.27) patch critical vulnerabilities, including a high-severity SQL injection and a moderate denial-of-service flaw. Users are urged to upgrade promptly.

The Django team has issued urgent security releases for Django versions 5.2.9, 5.1.15, and 4.2.27. These updates are crucial, addressing significant security vulnerabilities, and all users are strongly encouraged to upgrade their installations as soon as possible.

Addressed Security Issues

These releases resolve two key vulnerabilities:

CVE-2025-13372: Potential SQL Injection in FilteredRelation Column Aliases on PostgreSQL

A high-severity SQL injection vulnerability was discovered in FilteredRelation when processing column aliases on PostgreSQL. This flaw could be exploited using a specially crafted dictionary with dictionary expansion, passed as **kwargs to QuerySet.annotate() or QuerySet.alias(). This issue was reported by Stackered.

CVE-2025-64460: Potential Denial-of-Service Vulnerability in XML Serializer Text Extraction

A moderate-severity denial-of-service (DoS) vulnerability was identified in django.core.serializers.xml_serializer.getInnerText(). This algorithmic complexity issue allowed a remote attacker to trigger CPU and memory exhaustion, potentially leading to service degradation or outage, by submitting specially crafted XML input to a service that utilizes the XML Deserializer. The vulnerability stemmed from repeated string concatenation during the recursive collection of text nodes, resulting in superlinear computation. This issue was reported by Seokchan Yoon.

Affected Supported Versions

The following Django versions are impacted by these vulnerabilities:

  • Django main
  • Django 6.0 (currently at release candidate status)
  • Django 5.2
  • Django 5.1
  • Django 4.2

Resolution

Patches to resolve these issues have been applied across Django's development branches, including main, 6.0 (release candidate), 5.2, 5.1, and 4.2. Users can obtain these patches from the respective changesets.

The following security releases are now available:

  • Django 5.2.9
  • Django 5.1.15
  • Django 4.2.27

For specific download links and checksums, please refer to the official Django project website.

Security Reporting Guidelines

The Django team reiterates its request for potential security issues to be reported privately via email to security@djangoproject.com. Please avoid using Django's Trac instance or the Django Forum for such reports. Comprehensive details on the security policy can be found on the official Django website.