-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability, CVE-2025-13372, is a SQL injection flaw in Django's ORM specifically affecting applications using a PostgreSQL database. The root cause is the improper handling of column aliases when using FilteredRelation with the QuerySet.annotate() or QuerySet.alias() methods.
An attacker could provide a specially crafted dictionary as keyword arguments to these methods. If a key (which becomes the column alias) contains a dollar sign ($), it is not properly sanitized by the default SQL compiler. In PostgreSQL, the dollar sign can be used for quoting, and by crafting the alias appropriately, an attacker could inject arbitrary SQL commands.
The patch addresses this by creating a PostgreSQL-specific SQLCompiler that overrides the quote_name_unless_alias method. The new implementation explicitly checks for and rejects any alias containing a dollar sign, thus preventing the injection.
The analysis of the patch files confirms this. The core change is the introduction of this validation in django/db/backends/postgresql/compiler.py. The functions QuerySet.annotate and QuerySet.alias are the entry points for the malicious input, and the SQLCompiler.quote_name_unless_alias is the deeper function where the lack of validation actually constitutes the vulnerability.
QuerySet.aliasdjango/db/models/query.py
QuerySet.annotatedjango/db/models/query.py
SQLCompiler.quote_name_unless_aliasdjango/db/models/sql/compiler.py
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Django | pip | >= 5.2a1, < 5.2.9 | 5.2.9 |
| Django | pip | >= 5.1a1, < 5.1.15 | 5.1.15 |
| Django | pip | >= 4.2a1, < 4.2.27 | 4.2.27 |