Detections
Analytics
Python Library Django 4.2.x < 4.2.24 / 5.1.x < 5.1.12 / 5.2.x < 5.2.6 SQLi
high Nessus Plugin ID 264623
Language:
Synopsis
A Python library installed on the remote host is affected by a SQL injection vulnerability.Description
The detected version of the Django Python package, Django, is 4.2.x prior to 4.2.24, 5.1.x prior to 5.1.12, or 5.2.x prior to 5.2.6. It is, therefore, affected by a SQL injection vulnerability as disclosed in Django's September 3rd, 2025 security advisory. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Django version 4.2.24, 5.1.12, 5.2.6 or later.See Also
https://www.djangoproject.com/weblog/2025/sep/03/security-releases/
Plugin Details
Severity: High
ID: 264623
File Name: python_django_5_2_6.nasl
Version: 1.1
Type: local
Agent: windows, macosx, unix
Family: Misc.
Published: 9/12/2025
Updated: 9/12/2025
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.8
CVSS v2
Risk Factor: Medium
Base Score: 6.1
Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N
CVSS Score Source: CVE-2025-57833
CVSS v3
Risk Factor: High
Base Score: 7.1
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Vulnerability Information
CPE: cpe:/a:djangoproject:django
Patch Publication Date: 9/3/2025
Vulnerability Publication Date: 9/3/2025
Reference Information
CVE: CVE-2025-57833
IAVA: 2025-A-0645