2392990 – (CVE-2025-57833) CVE-2025-57833 django: Django SQL injection in FilteredRelation column aliases

Bug 2392990 (CVE-2025-57833) - CVE-2025-57833 django: Django SQL injection in FilteredRelation column aliases

Summary: CVE-2025-57833 django: Django SQL injection in FilteredRelation column aliases

Keywords:
Status:	NEW
Alias:	CVE-2025-57833
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2393800 2393801 2393802 2393803 2393804 2393805 2393806 2393807 2393808
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-03 21:01 UTC by OSIDB Bzimport
Modified:	2025-09-23 18:18 UTC (History)
CC List:	56 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:16403	None	None	None	2025-09-22 18:11:58 UTC
Red Hat Product Errata	RHSA-2025:16404	None	None	None	2025-09-22 20:31:26 UTC
Red Hat Product Errata	RHSA-2025:16487	None	None	None	2025-09-23 18:01:30 UTC
Red Hat Product Errata	RHSA-2025:16514	None	None	None	2025-09-23 18:18:11 UTC

Description OSIDB Bzimport 2025-09-03 21:01:17 UTC

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

Comment 2 errata-xmlrpc 2025-09-22 18:11:54 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2025:16403 https://access.redhat.com/errata/RHSA-2025:16403

Comment 3 errata-xmlrpc 2025-09-22 20:31:22 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2025:16404 https://access.redhat.com/errata/RHSA-2025:16404

Comment 4 errata-xmlrpc 2025-09-23 18:01:25 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:16487 https://access.redhat.com/errata/RHSA-2025:16487

Comment 5 errata-xmlrpc 2025-09-23 18:18:06 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:16514 https://access.redhat.com/errata/RHSA-2025:16514

Note You need to log in before you can comment on or make changes to this bug.

anthomas
brasmith
caswilli
cochase
dnakabaa
dranck
eglynn
ehelms
ggainey
haoli
hkataria
jajackso
jcammara
jjoyce
jmitchel
jneedle
joehler
jschluet
juwatts
jwendell
jwong
kaycoth
kegrant
koliveir
kshier
lbrazdil
lcouzens
lhh
lsvaty
mabashia
mburns
mgarciac
mhulan
mminar
mskarbek
nmoumoul
osousa
pbraun
pcreech
pgrist
rbiba
rcernich
rchan
shvarugh
simaishi
smallamp
smcdonal
sskracic
stcannon
teagle
tfister
thavo
tmalecek
tpfromme
ttakamiy
yguenane