Two Critical Security Vulnerabilities Found in Django: SQL Injection and DoS Risks

Two serious security vulnerabilities have been discovered in Django, one of the most widely used web development frameworks. The Django team has released essential security updates to address these issues. One vulnerability is classified as high severity and the other as medium, but both pose substantial risks to production servers.

1. High-Severity SQL Injection Vulnerability (CVE-2025-13372)

This issue affects PostgreSQL-based projects and originates from improper handling of column aliases in the FilteredRelation class.

By passing a specially crafted dictionary to QuerySet.annotate() or QuerySet.alias(), an attacker can:

inject malicious SQL code,
compromise database integrity,
modify or delete data.

Due to its potential impact, security experts strongly advise applying the patch as soon as possible.

2. DoS Vulnerability via XML Serializer (CVE-2025-64460)

The second flaw stems from an algorithmic complexity issue in the method getInnerText() of Django’s XML serializer.

When processing maliciously crafted XML, the serializer may:

perform excessive string concatenations,
significantly increase processing time,
cause abnormal spikes in CPU and memory usage.

This behavior enables a Denial-of-Service (DoS) attack, potentially slowing down or completely disabling the server. Despite its medium severity rating, the practical impact can be substantial.

Affected Versions

The Django team has confirmed that all supported versions of the framework are affected, including the upcoming Django 6.0 Release Candidate.

Security patches are available for:

Django 5.2.9
Django 5.1.15
Django 4.2.27

Developers using the main branch should pull the latest updates.

Mitigation Recommendations

✔ Update immediately
Applying the patched releases is the most effective way to mitigate SQL injection and DoS risks.

✔ Limit untrusted XML input
Filter or block XML data from unknown sources.

✔ Strengthen code auditing
Projects using annotate and alias should undergo additional static analysis.

✔ Enable resource monitoring
Unexpected CPU or memory spikes may signal DoS attempts.

The vulnerabilities CVE-2025-13372 and CVE-2025-64460 pose serious threats to modern Django applications. From database compromise to complete service outages, the impact can be severe. Prompt installation of security updates is essential for maintaining system stability and organizational resilience.

Computer Emergency
Response Team

Computer Emergency
Response Team

Two Critical Security Vulnerabilities Found in Django: SQL Injection and DoS Risks

1. High-Severity SQL Injection Vulnerability (CVE-2025-13372)

2. DoS Vulnerability via XML Serializer (CVE-2025-64460)

Affected Versions

Mitigation Recommendations

1. High-Severity SQL Injection Vulnerability (CVE-2025-13372)

2. DoS Vulnerability via XML Serializer (CVE-2025-64460)

Affected Versions

Mitigation Recommendations

Dangerous Vulnerabilities in Adobe Acrobat and Reader: Risk of Full System Compromise

A Critical Vulnerability Discovered in Windows Defender Firewall

Critical SSO Flaw in the Fortinet Ecosystem: Unauthorized Administrator-Level Access via FortiCloud Identified