Django 4.2.25 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the Django package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Allocation of Resources Without Limits or Throttling Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `URLField.to_python()` function when processing URLs containing certain Unicode characters on Windows systems. An attacker can cause excessive resource consumption and application unresponsiveness by submitting large URL inputs crafted with these characters. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `Django` to version 4.2.29, 5.2.12, 6.0.3 or higher.	[4.2a1,4.2.29)[5.2a1,5.2.12)[6.0a1,6.0.3)
L Race Condition Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Race Condition in the file-system storage and file-based cache backends that use `umask` process in multi-threaded environments. An attacker can manipulate file system object permissions by making concurrent requests, potentially leading to unauthorized access or modification of files. How to fix Race Condition? Upgrade `Django` to version 4.2.29, 5.2.12, 6.0.3 or higher.	[4.2a1,4.2.29)[5.2a1,5.2.12)[6.0a1,6.0.3)
M Inefficient Algorithmic Complexity Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the `django.utils.text.Truncator.chars` and `Truncator.words` methods (when `html=True`), as well as the `truncatechars_html` and `truncatewords_html` template filters, when processing crafted input containing a large number of unmatched HTML end tags. An attacker can cause excessive resource consumption by submitting such specially crafted input. How to fix Inefficient Algorithmic Complexity? Upgrade `Django` to version 4.2.28, 5.2.11, 6.0.2 or higher.	[4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
C SQL Injection Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via the `FilteredRelation` when control characters are used in column aliases through a crafted dictionary with dictionary expansion as the `**kwargs` argument to `QuerySet` methods such as `annotate`, `aggregate`, `extra`, `values`, `values_list`, and `alias`. An attacker can execute arbitrary SQL commands by supplying malicious input to these methods. How to fix SQL Injection? Upgrade `Django` to version 4.2.28, 5.2.11, 6.0.2 or higher.	[4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
C SQL Injection Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via the `QuerySet.order_by` and `FilteredRelation` when column aliases containing periods are used with a crafted dictionary and dictionary expansion. An attacker can execute arbitrary SQL commands by supplying specially crafted input to these components. How to fix SQL Injection? Upgrade `Django` to version 4.2.28, 5.2.11, 6.0.2 or higher.	[4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
M Timing Attack Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Timing Attack via the `check_password` function in the `modwsgi.py` file. An attacker can determine the existence of valid usernames by measuring response times during authentication attempts. How to fix Timing Attack? Upgrade `Django` to version 4.2.28, 5.2.11, 6.0.2 or higher.	[4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
M Inefficient Algorithmic Complexity Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the repeated headers when using ASGI. An attacker can exhaust system resources by sending specially crafted requests containing multiple duplicate headers. How to fix Inefficient Algorithmic Complexity? Upgrade `Django` to version 4.2.28, 5.2.11, 6.0.2 or higher.	[4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
H SQL Injection Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via the band index parameter `band_lhs` in `check_raster` lookups when using PostGIS. An attacker can execute arbitrary SQL commands by supplying crafted input to this parameter. How to fix SQL Injection? Upgrade `Django` to version 4.2.28, 5.2.11, 6.0.2 or higher.	[,4.2.28)[5.0a1,5.2.11)[6.0a1,6.0.2)
H Inefficient Algorithmic Complexity Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the `getInnerText()` function. An attacker can exhaust CPU and memory resources by submitting deeply nested XML input to the XML deserializer, which is processed in quadratic time per character. How to fix Inefficient Algorithmic Complexity? Upgrade `Django` to version 4.2.27, 5.1.15, 5.2.9 or higher.	[,4.2.27)[5.0a1,5.1.15)[5.2a1,5.2.9)
H SQL Injection Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via the `FilteredRelation` column aliases. When a malicious dictionary expansion is passed in as the `**kwargs` argument to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL, its contents can be used to execute SQL. How to fix SQL Injection? Upgrade `Django` to version 4.2.27, 5.1.15, 5.2.9 or higher.	[,4.2.27)[5.0a1,5.1.15)[5.2a1,5.2.9)
M SQL Injection Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via the `_connector` argument in the `QuerySet.filter`, `QuerySet.exclude`, `QuerySet.get`, and `Q` objects. A dictionary using dictionary expansion that is supplied as the `_connector` value can allow attackers to execute malicious SQL. How to fix SQL Injection? Upgrade `Django` to version 4.2.26, 5.1.14, 5.2.8 or higher.	[,4.2.26)[5.0a1,5.1.14)[5.2a1,5.2.8)
H Inefficient Algorithmic Complexity Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the `HttpResponseRedirect` and `HttpResponsePermanentRedirect` functions when processing inputs containing a very large number of Unicode characters, due to slow NFKC normalization on Windows. An attacker can cause excessive resource consumption and disrupt service availability. Note: This is only exploitable on Windows. How to fix Inefficient Algorithmic Complexity? Upgrade `Django` to version 4.2.26, 5.1.14, 5.2.8 or higher.	[,4.2.26)[5.0a1,5.1.14)[5.2a1,5.2.8)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling