Bug#1121788: python-django: CVE-2025-13372 CVE-2025-64460

Chris Lamb Tue, 02 Dec 2025 11:09:16 -0800

Package: python-django
Version: 3:3.2.19-1+deb12u1
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security


Hi,

The following vulnerabilities were published for python-django.

    - CVE-2025-13372: Fix a potential SQL injection attack in FilteredRelation  
                          
      column aliases when using PostgreSQL. FilteredRelation was subject to SQL 
                          
      injection in column aliases via a suitably crafted dictionary as the      
                          
      **kwargs passed to QuerySet.annotate() or QuerySet.alias().               
                          
                                                                                
                          
    - CVE-2025-64460: Prevent a potential denial-of-service vulnerability in    
                          
      XML serializer text extraction. An algorithmic complexity issue in        
                          
      django.core.serializers.xml_serializer.getInnerText() allowed a remote    
                          
      attacker to cause a potential denial-of-service triggering CPU and memory 
                          
      exhaustion via a specially crafted XML input submitted to a service that  
                          
      invokes XML Deserializer. The vulnerability resulted from repeated string 
                          
      concatenation while recursively collecting text nodes, which produced     
                          
      superlinear computation.

  <https://www.djangoproject.com/weblog/2025/dec/02/security-releases/>

Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

Bug#1121788: python-django: CVE-2025-13372 CVE-2025-64460

Reply via email to