CRITICAL 9.8

PYSEC-2025-106

상세

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / django

최초 영향 버전: 4.2 수정 버전: 4.2.25

수정 pip install --upgrade 'django>=4.2.25'

참고

http://www.openwall.com/lists/oss-security/2025/10/01/3 [WEB]
https://docs.djangoproject.com/en/dev/releases/security/ [ADVISORY]
https://groups.google.com/g/django-announce [ADVISORY]
https://www.djangoproject.com/weblog/2025/oct/01/security-releases/ [ADVISORY]