-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis of the security patches for CVE-2025-64459 reveals a clear SQL injection vulnerability within the Django Object-Relational Mapping (ORM) component. The root cause is the lack of input validation for the _connector keyword argument in the django.db.models.query_utils.Q class constructor (__init__).
The vulnerability description states that QuerySet.filter(), QuerySet.exclude(), and QuerySet.get() are the primary attack vectors. These methods internally instantiate Q objects to build the query tree. When these methods are called with a dictionary using the ** expansion syntax, an attacker can control the _connector value.
The provided patches (e.g., 06dd38324ac3d60d83d9f3adabf0dcdf423d2a85) directly address this issue by adding a validation block at the beginning of the Q.__init__ method. This new code checks the _connector value against a safelist of allowed connectors (AND, OR, XOR, None) and raises a ValueError if an invalid value is provided. Before this change, the _connector value was used without sanitization, allowing for the injection of arbitrary SQL fragments.
Therefore, the function Q.__init__ is the precise location of the vulnerability. During exploitation, a runtime profile would show this function being called with a malicious _connector value, originating from a call to one of the aforementioned QuerySet methods.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| django | pip | >= 5.2a1, < 5.2.8 | 5.2.8 |
| django | pip | >= 5.0a1, < 5.1.14 | 5.1.14 |
| django | pip | < 4.2.26 | 4.2.26 |
Access the latest Benchmark Study of WAF Weaknesses and AI Mitigation