Django 4.2-4.2.25 5.1-5.1.13 5.2a1-5.2.7 - SQL Injection via QuerySet Dictionary Expansion
Title source: llmExploitation Summary
EIP tracks 11 public exploits for CVE-2025-64459. PoCs published by Wafcontrol Security Team, XiaomingX, 0xCyberstan.
AI-analyzed exploit summary This is a functional proof-of-concept exploit for CVE-2025-64459, targeting a SQL injection vulnerability in Django's QuerySet methods. It demonstrates arbitrary SQL injection via crafted _connector parameters and includes multiple testing modes (baseline, exploit, multi, check).
Description
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
Exploits (11)
This is a functional proof-of-concept exploit for CVE-2025-64459, targeting a SQL injection vulnerability in Django's QuerySet methods. It demonstrates arbitrary SQL injection via crafted _connector parameters and includes multiple testing modes (baseline, exploit, multi, check).
The repository contains a Python-based network scanner for detecting CVE-2025-64459, a Django SQL injection vulnerability. It checks for open ports, identifies Django applications, and tests for SQL injection by comparing user lists before and after payload injection.
This repository contains a functional Django-based PoC demonstrating CVE-2025-64459, a SQL injection vulnerability in Django ORM via Q object unpacking. The exploit shows how an attacker can bypass filters by injecting a malicious '_connector' parameter.
This repository contains a functional PoC for CVE-2025-64459, demonstrating SQL injection in Django ORM via Q object unpacking. The exploit bypasses filters by injecting a malicious '_connector' parameter, exposing admin users.
This repository provides a testbed and documentation for CVE-2025-64459, a parameter injection vulnerability in Django's QuerySet.filter() when using dictionary expansion. It includes exploitation examples and references to a vulnerable target for testing.
This repository contains two bash scripts designed to scan Docker containers for Django installations vulnerable to CVE-2025-64459. The first script checks Django versions against known vulnerable ranges, while the second verifies the presence of a specific patch in the query_utils.py file.
This repository contains a functional Django application demonstrating CVE-2025-64459, a SQL injection vulnerability in Django's QuerySet and Q objects. The exploit is triggered via query parameters (`_connector=OR 1=1 OR`), allowing arbitrary SQL fragments to be injected, leading to data exposure.
This repository contains a Python-based network scanner designed to detect CVE-2025-64459, a Django SQL injection vulnerability. It checks for vulnerable Django instances by sending crafted payloads and analyzing responses.
The repository contains a Django-based helpdesk application with models and migrations but lacks exploit code or detailed vulnerability information. The README references a PDF for exploitation details, which is not included.
This repository contains a working PoC for CVE-2025-64459, demonstrating Django ORM filter injection vulnerabilities in both authentication and product listing endpoints. The exploit leverages Django's ORM query parameter injection via `_connector` and `_negated` to bypass authentication and access non-public products.
References (4)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N