Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-64459 PoC — Potential SQL injection via _connector keyword argument in QuerySet and Q objects

Source
https://github.com/B1ack4sh/Blackash-CVE-2025-64459
Associated Vulnerability
Title:Potential SQL injection via _connector keyword argument in QuerySet and Q objects (CVE-2025-64459)
Description:An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
Description
CVE-2025-64459
Readme
# 🛡️ **CVE‑2025‑64459 — Django SQL Injection Vulnerability**

---

## 🔍 **Overview**

| Item            | Details                                                                                                                               |
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| **Identifier**  | CVE‑2025‑64459                                                                                                                        |
| **Description** | SQL injection via ORM `filter()`, `exclude()`, `get()` and `Q()` using `**kwargs` allowing manipulation of `_connector` / `_negated`. |
| **Attack Type** | 🌐 Remote (network), no privileges, no user interaction                                                                               |
| **Impact**      | 🔒 Confidentiality & 📝 Integrity compromised                                                                                         |
| **Severity**    | 🚨 CVSS 9.1 (Critical)                                                                                                                |

---

## 📦 **Affected Versions & Patch Status**

| Django Version                    | Status                | Patch Version       |
| --------------------------------- | --------------------- | ------------------- |
| 4.2 < 4.2.26                      | ⚠️ Vulnerable         | 4.2.26+             |
| 5.1 < 5.1.14                      | ⚠️ Vulnerable         | 5.1.14+             |
| 5.2 < 5.2.8                       | ⚠️ Vulnerable         | 5.2.8+              |
| Older unsupported (3.2, 4.1, 5.0) | ❓ Possibly vulnerable | Upgrade recommended |

**Official Advisory:** [Django Security Releases](https://www.djangoproject.com/weblog/2025/nov/05/security-releases/?utm_source=chatgpt.com)

---

## ⚡ **Technical Details**

### 🔑 Root Cause

* User input via `**kwargs` allows control of internal ORM parameters:

  * `_connector` → controls AND / OR joins
  * `_negated` → inverts filters

**Risky code example:**

```python
filters = request.GET.dict()
results = Model.objects.filter(**filters)
```

**Malicious query example:**

```
?username=admin&_connector=OR&is_superuser=True
```

### 🔓 **Impact**

* Unauthorized access to data 📄
* Data manipulation ✏️
* Authorization bypass ⚔️
* Low risk for DoS

### 🛠️ Exploitation Conditions

* Public APIs, REST, GraphQL endpoints
* Dynamic filters using user dictionaries
* Legacy Django versions

---

## ⚠️ **Exploitation Status**

* No confirmed widespread attacks 🕵️‍♂️
* Scanners & WAF rules emerging to detect it

---

## 🛡️ **Mitigation & Recommendations**

### 🔹 Immediate Actions

1. **Upgrade Django** 🚀

   * 4.2 → 4.2.26+
   * 5.1 → 5.1.14+
   * 5.2 → 5.2.8+
2. **Audit your code** 🔍

   * Avoid `filter(**dict_from_user)`
   * Watch for `Q()` objects using dynamic inputs
3. **Whitelist allowed parameters** ✅
4. **Restrict DB permissions** 🗝️ (least privilege)
5. **Monitor logs** 📜

   * Look for `_connector` or `_negated` keys

### 🔹 Long-Term Best Practices

* Use **parameterized queries**
* Educate developers on safe ORM practices 🧑‍💻
* Maintain an **inventory of Django apps & versions**

---

## 📊 **Summary Cheat Sheet**

| 🔹 Item             | 🔹 Details                                                 |
| ------------------- | ---------------------------------------------------------- |
| Vulnerability       | SQL injection via `_connector` / `_negated`                |
| CVE                 | CVE‑2025‑64459                                             |
| Affected Versions   | 4.2 < 4.2.26, 5.1 < 5.1.14, 5.2 < 5.2.8                    |
| Fixed Versions      | 4.2.26+, 5.1.14+, 5.2.8+                                   |
| CVSS Score          | 🚨 9.1 Critical                                            |
| Attack Vector       | 🌐 Remote, low complexity, no privileges                   |
| Impact              | 🔥 High (confidentiality & integrity)                      |
| Exploitation Status | 🕵️‍♀️ No confirmed widespread exploitation                |
| Mitigation          | Upgrade, audit, whitelist, restrict DB perms, monitor logs |

---
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →