mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-09-10 11:09:12 +00:00
Code Issues 32 Releases Wiki Activity
django/docs/releases/4.2.24.txt
Jake Howard 5171171709 Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. 
Thanks Eyal Gabay (EyalSec) for the report.
2025-09-03 13:10:58 +02:00

15 lines
559 B
Plaintext
Raw Permalink Blame History

===========================
Django 4.2.24 release notes
===========================
*September 3, 2025*
Django 4.2.24 fixes a security issue with severity "high" in 4.2.23.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
Reference in New Issue View Git Blame Copy Permalink