CVE-2025-13372 Affecting python-django package, versions <3:5.2.4-1ubuntu2.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UBUNTU2510-PYTHONDJANGO-14162791
- published3 Dec 2025
- disclosed2 Dec 2025
Introduced: 2 Dec 2025
NewCVE-2025-13372 (opens in a new tab)How to fix?
Upgrade Ubuntu:25.10 python-django to version 3:5.2.4-1ubuntu2.2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-django package and not the python-django package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.