What is GHSA-hpr9-3m2g-3j9p?

GHSA-hpr9-3m2g-3j9p is a security advisory published by GitHub Security Advisories with High severity. Django vulnerable to SQL injection in column aliases

Which CVE IDs does GHSA-hpr9-3m2g-3j9p cover?

GHSA-hpr9-3m2g-3j9p covers the following CVE IDs: CVE-2025-59681. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-hpr9-3m2g-3j9p?

GHSA-hpr9-3m2g-3j9p has a CVSS v3 base score of 7.1, published by GitHub Security Advisories.

Which products are affected by GHSA-hpr9-3m2g-3j9p?

GHSA-hpr9-3m2g-3j9p affects 3 products, including: pip/django:\u003e= 4.2, \u003c 4.2.25; pip/django:\u003e= 5.1, \u003c 5.1.13; pip/django:\u003e= 5.2, \u003c 5.2.7.

GHSA-hpr9-3m2g-3j9pHighCVSS 7.1

Django vulnerable to SQL injection in column aliases

Vendor

GitHub Security Advisories

Published

October 1, 2025

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2025-59681 →

📋 Description

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

🎯 Affected products3

pip/django:>= 4.2, < 4.2.25
pip/django:>= 5.1, < 5.1.13
pip/django:>= 5.2, < 5.2.7

🔗 References (9)

https://nvd.nist.gov/vuln/detail/CVE-2025-59681
https://docs.djangoproject.com/en/dev/releases/security
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/oct/01/security-releases
https://github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a
https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e
http://www.openwall.com/lists/oss-security/2025/10/01/3
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-106.yaml
https://github.com/advisories/GHSA-hpr9-3m2g-3j9p