Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/django@5.1.15
Typepypi
Namespace
Namedjango
Version5.1.15
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version5.2.14
Latest_non_vulnerable_version6.0.5
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-7c5n-nzwk-v7bz
vulnerability_id VCID-7c5n-nzwk-v7bz
summary 
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
references
0
reference_url https://docs.djangoproject.com/en/dev/releases/security
reference_id
reference_type
scores
url https://docs.djangoproject.com/en/dev/releases/security
1
reference_url https://docs.djangoproject.com/en/dev/releases/security/
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
url https://docs.djangoproject.com/en/dev/releases/security/
2
reference_url https://github.com/django/django
reference_id
reference_type
scores
url https://github.com/django/django
3
reference_url https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
reference_id
reference_type
scores
url https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
4
reference_url https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
reference_id
reference_type
scores
url https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
5
reference_url https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
reference_id
reference_type
scores
url https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
6
reference_url https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
reference_id
reference_type
scores
url https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
7
reference_url https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
reference_id
reference_type
scores
url https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
8
reference_url https://groups.google.com/g/django-announce
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
url https://groups.google.com/g/django-announce
9
reference_url https://www.djangoproject.com/weblog/2025/dec/02/security-releases
reference_id
reference_type
scores
url https://www.djangoproject.com/weblog/2025/dec/02/security-releases
10
reference_url https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
url https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-13372
reference_id CVE-2025-13372
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-13372
12
reference_url https://github.com/advisories/GHSA-rqw2-ghq9-44m7
reference_id GHSA-rqw2-ghq9-44m7
reference_type
scores
url https://github.com/advisories/GHSA-rqw2-ghq9-44m7
fixed_packages
0
url pkg:pypi/django@4.2.27
purl pkg:pypi/django@4.2.27
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4kcg-gx5y-cuaw
1
vulnerability VCID-ga7z-wj4j-63h1
2
vulnerability VCID-jybd-p65h-xffy
3
vulnerability VCID-kxdd-yzp3-r7cb
4
vulnerability VCID-phkp-9abp-f3dq
5
vulnerability VCID-r1vx-vv7d-gqaj
6
vulnerability VCID-shch-yusm-1uck
7
vulnerability VCID-shjc-2j68-2yfy
8
vulnerability VCID-tktt-vg92-6kae
9
vulnerability VCID-tuqc-c251-h7ds
10
vulnerability VCID-wa3g-27sx-mbcw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.27
1
url pkg:pypi/django@5.1.15
purl pkg:pypi/django@5.1.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.15
2
url pkg:pypi/django@5.2.9
purl pkg:pypi/django@5.2.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4kcg-gx5y-cuaw
1
vulnerability VCID-abpe-htm1-9ubp
2
vulnerability VCID-eqsc-axng-ckca
3
vulnerability VCID-ga7z-wj4j-63h1
4
vulnerability VCID-jybd-p65h-xffy
5
vulnerability VCID-kxdd-yzp3-r7cb
6
vulnerability VCID-m4am-h2ea-3ffr
7
vulnerability VCID-phkp-9abp-f3dq
8
vulnerability VCID-r1vx-vv7d-gqaj
9
vulnerability VCID-shch-yusm-1uck
10
vulnerability VCID-shjc-2j68-2yfy
11
vulnerability VCID-tktt-vg92-6kae
12
vulnerability VCID-tuqc-c251-h7ds
13
vulnerability VCID-wa3g-27sx-mbcw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9
aliases CVE-2025-13372, GHSA-rqw2-ghq9-44m7, PYSEC-2025-104
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7c5n-nzwk-v7bz
1
url VCID-fcg9-xypn-ykhf
vulnerability_id VCID-fcg9-xypn-ykhf
summary 
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
references
0
reference_url https://docs.djangoproject.com/en/dev/releases/security
reference_id
reference_type
scores
url https://docs.djangoproject.com/en/dev/releases/security
1
reference_url https://docs.djangoproject.com/en/dev/releases/security/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://docs.djangoproject.com/en/dev/releases/security/
2
reference_url https://github.com/django/django
reference_id
reference_type
scores
url https://github.com/django/django
3
reference_url https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b
reference_id
reference_type
scores
url https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b
4
reference_url https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5
reference_id
reference_type
scores
url https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5
5
reference_url https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0
reference_id
reference_type
scores
url https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0
6
reference_url https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d
reference_id
reference_type
scores
url https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d
7
reference_url https://groups.google.com/g/django-announce
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://groups.google.com/g/django-announce
8
reference_url https://www.djangoproject.com/weblog/2025/dec/02/security-releases
reference_id
reference_type
scores
url https://www.djangoproject.com/weblog/2025/dec/02/security-releases
9
reference_url https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64460
reference_id CVE-2025-64460
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-64460
11
reference_url https://github.com/advisories/GHSA-vrcr-9hj9-jcg6
reference_id GHSA-vrcr-9hj9-jcg6
reference_type
scores
url https://github.com/advisories/GHSA-vrcr-9hj9-jcg6
fixed_packages
0
url pkg:pypi/django@4.2.27
purl pkg:pypi/django@4.2.27
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4kcg-gx5y-cuaw
1
vulnerability VCID-ga7z-wj4j-63h1
2
vulnerability VCID-jybd-p65h-xffy
3
vulnerability VCID-kxdd-yzp3-r7cb
4
vulnerability VCID-phkp-9abp-f3dq
5
vulnerability VCID-r1vx-vv7d-gqaj
6
vulnerability VCID-shch-yusm-1uck
7
vulnerability VCID-shjc-2j68-2yfy
8
vulnerability VCID-tktt-vg92-6kae
9
vulnerability VCID-tuqc-c251-h7ds
10
vulnerability VCID-wa3g-27sx-mbcw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.27
1
url pkg:pypi/django@5.1.15
purl pkg:pypi/django@5.1.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.15
2
url pkg:pypi/django@5.2.9
purl pkg:pypi/django@5.2.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4kcg-gx5y-cuaw
1
vulnerability VCID-abpe-htm1-9ubp
2
vulnerability VCID-eqsc-axng-ckca
3
vulnerability VCID-ga7z-wj4j-63h1
4
vulnerability VCID-jybd-p65h-xffy
5
vulnerability VCID-kxdd-yzp3-r7cb
6
vulnerability VCID-m4am-h2ea-3ffr
7
vulnerability VCID-phkp-9abp-f3dq
8
vulnerability VCID-r1vx-vv7d-gqaj
9
vulnerability VCID-shch-yusm-1uck
10
vulnerability VCID-shjc-2j68-2yfy
11
vulnerability VCID-tktt-vg92-6kae
12
vulnerability VCID-tuqc-c251-h7ds
13
vulnerability VCID-wa3g-27sx-mbcw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9
aliases CVE-2025-64460, GHSA-vrcr-9hj9-jcg6, PYSEC-2025-109
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fcg9-xypn-ykhf
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.15