Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.

Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews.
2025-11-07 07:15:35 +00:00 · 2025-09-24 15:54:51 -04:00
parent c880530ddd
commit 98e642c691
5 changed files with 30 additions and 0 deletions
--- a/django/db/models/query_utils.py
+++ b/django/db/models/query_utils.py
@@ -48,8 +48,12 @@ class Q(tree.Node):
    XOR = "XOR"
    default = AND
    conditional = True
+    connectors = (None, AND, OR, XOR)

    def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+        if _connector not in self.connectors:
+            connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
+            raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
        super().__init__(
            children=[*args, *sorted(kwargs.items())],
            connector=_connector,
--- a/docs/releases/4.2.26.txt
+++ b/docs/releases/4.2.26.txt
@@ -16,3 +16,10 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
 :func:`redirect() <django.shortcuts.redirect>` were subject to a potential
 denial-of-service attack via certain inputs with a very large number of Unicode
 characters (follow up to :cve:`2025-27556`).
+
+CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
+===========================================================================
+
+:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
+and :class:`~.Q` were subject to SQL injection using a suitably crafted
+dictionary, with dictionary expansion, as the ``_connector`` argument.
--- a/docs/releases/5.1.14.txt
+++ b/docs/releases/5.1.14.txt
@@ -16,3 +16,10 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
 :func:`redirect() <django.shortcuts.redirect>` were subject to a potential
 denial-of-service attack via certain inputs with a very large number of Unicode
 characters (follow up to :cve:`2025-27556`).
+
+CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
+===========================================================================
+
+:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
+and :class:`~.Q` were subject to SQL injection using a suitably crafted
+dictionary, with dictionary expansion, as the ``_connector`` argument.
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -18,6 +18,13 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
 denial-of-service attack via certain inputs with a very large number of Unicode
 characters (follow up to :cve:`2025-27556`).

+CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
+===========================================================================
+
+:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
+and :class:`~.Q` were subject to SQL injection using a suitably crafted
+dictionary, with dictionary expansion, as the ``_connector`` argument.
+
 Bugfixes
 ========

--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
@@ -272,6 +272,11 @@ class QTests(SimpleTestCase):
                    Q(*items, _connector=connector),
                )

+    def test_connector_validation(self):
+        msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
+        with self.assertRaisesMessage(ValueError, msg):
+            Q(_connector="evil")
+
    def test_referenced_base_fields(self):
        # Make sure Q.referenced_base_fields retrieves all base fields from
        # both filters and F expressions.