Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Django SQL Injection via _connector parameter (CVE-2025-64459) - Vulnerability Database

Django SQL Injection via _connector parameter (CVE-2025-64459)

Description

A critical SQL injection vulnerability affects Django versions prior to 5.2.8, 5.1.14, and 4.2.26. The vulnerability allows attackers to manipulate database query logic by injecting Django's internal query parameters (_connector and _negated) when applications pass unsanitized user input directly to QuerySet methods such as filter(), exclude(), or get(). This enables attackers to bypass intended query filters, alter query logic from AND to OR operations, and access unauthorized data without authentication.

Remediation

Immediate Actions:

1. Upgrade Django to a patched version immediately:
- Django 5.2.8 or later (for 5.2.x users)
- Django 5.1.14 or later (for 5.1.x users)
- Django 4.2.26 or later (for 4.2.x users)

2. Identify vulnerable code patterns in your codebase using:

grep -r "\.filter(\*\*" --include="*.py"
grep -r "\.exclude(\*\*" --include="*.py"
grep -r "\.get(\*\*" --include="*.py"

Secure Coding Practices:

3. Never pass user input dictionaries directly to QuerySet methods. Replace vulnerable patterns:

Vulnerable Code:
# UNSAFE - allows injection of _connector and _negated
results = Model.objects.filter(**request.GET.dict())
results = Model.objects.exclude(**request.POST.dict())

Secure Code:
# SAFE - use Django Forms for validation
from django import forms

class SearchForm(forms.Form):
    category = forms.CharField(max_length=100)
    status = forms.CharField(max_length=50)

form = SearchForm(request.GET)
if form.is_valid():
    results = Model.objects.filter(
        category=form.cleaned_data['category'],
        status=form.cleaned_data['status']
    )

# SAFE - explicit parameter whitelisting
allowed_params = {'category', 'status', 'date'}
filter_params = {k: v for k, v in request.GET.items() if k in allowed_params}
results = Model.objects.filter(**filter_params)

4. Review application logs for potential exploitation attempts by searching for requests containing _connector or _negated parameters

5. Implement input validation at the application layer to reject requests containing parameters that start with underscores

6. Conduct a security audit of all endpoints that accept user input and interact with Django's ORM to ensure proper input sanitization

References

Django SQL Injection CVE-2025-64459 Technical Analysis
Django Security Release - Django 5.2.8
Django Official Fix Commit (Main Branch)

Related Vulnerabilities

Hibernate Query Language (HQL) Injection High
Common tags: SQL Injection
WordPress Plugin Loginizer SQL Injection (1.6.3) High
Common tags: SQL Injection
WordPress Plugin Blog2Social:Social Media Auto Post & Scheduler SQL Injection (6.3.0) High
Common tags: SQL Injection
WordPress Plugin Comments-wpDiscuz SQL Injection (5.3.5) High
Common tags: SQL Injection
WordPress Plugin Form Maker by 10Web-Mobile-Friendly Drag & Drop Contact Form Builder SQL Injection (1.13.35) High
Common tags: SQL Injection

Severity

Critical

Classification

CVE-2025-64459
CWE-89
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Tags

SQL Injection