Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/django@5.0a1

Type pypi

Namespace

Name django

Version 5.0a1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.0.14

Latest_non_vulnerable_version 6.0.5

Affected_by_vulnerabilities

url VCID-9udu-eqvn-mqbj

vulnerability_id VCID-9udu-eqvn-mqbj

summary

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect`  were subject to a potential  denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64458.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64458.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-64458

reference_id

reference_type

scores

value	0.00024
scoring_system	epss
scoring_elements	0.07194
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-64458

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://docs.djangoproject.com/en/dev/releases/security/

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/

url

https://docs.djangoproject.com/en/dev/releases/security/

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/3790593781d26168e7306b5b2f8ea0309de16242

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/3790593781d26168e7306b5b2f8ea0309de16242

reference_url

https://github.com/django/django/commit/4f5d904b63751dea9ffc3b0e046404a7fa5881ac

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/4f5d904b63751dea9ffc3b0e046404a7fa5881ac

reference_url

https://github.com/django/django/commit/6e13348436fccf8f22982921d6a3a3e65c956a9f

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/6e13348436fccf8f22982921d6a3a3e65c956a9f

reference_url

https://github.com/django/django/commit/770eea38d7a0e9ba9455140b5a9a9e33618226a7

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/770eea38d7a0e9ba9455140b5a9a9e33618226a7

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/

url

https://groups.google.com/g/django-announce

reference_url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases

reference_url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/

url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2412649
reference_id	2412649
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2412649

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-64458

reference_id

CVE-2025-64458

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-64458

reference_url

https://github.com/advisories/GHSA-qw25-v68c-qjf3

reference_id

GHSA-qw25-v68c-qjf3

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qw25-v68c-qjf3

fixed_packages

url pkg:pypi/django@5.1.14

purl pkg:pypi/django@5.1.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3d6k-rdsh-k7hm

vulnerability	VCID-7jbt-5zw2-vff2

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.14

url pkg:pypi/django@5.2.8

purl pkg:pypi/django@5.2.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-32d1-b8f2-hud5

vulnerability	VCID-3ccr-92q5-aqfk

vulnerability	VCID-3d6k-rdsh-k7hm

vulnerability	VCID-5fbx-3yfb-fudx

vulnerability	VCID-62jv-ab6d-sqdb

vulnerability	VCID-63c7-mkxw-ufav

vulnerability	VCID-7jbt-5zw2-vff2

vulnerability	VCID-92bp-6kte-tyfs

vulnerability	VCID-92z2-3rbz-77h9

vulnerability	VCID-cbsj-1qqg-1ba6

vulnerability	VCID-cg44-thdw-cygg

vulnerability	VCID-enen-3w2h-g3b8

vulnerability	VCID-g22z-jue5-8udz

vulnerability	VCID-heum-8mwz-sbcw

vulnerability	VCID-j2uz-w2ur-7ud4

vulnerability	VCID-jma1-9ags-xbfm

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8

aliases BIT-django-2025-64458, CVE-2025-64458, GHSA-qw25-v68c-qjf3, PYSEC-2025-107

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9udu-eqvn-mqbj

url VCID-u15a-4ste-43cy

vulnerability_id VCID-u15a-4ste-43cy

summary

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-64459

reference_id

reference_type

scores

value	0.00256
scoring_system	epss
scoring_elements	0.49195
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-64459

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://docs.djangoproject.com/en/dev/releases/security/

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/

url

https://docs.djangoproject.com/en/dev/releases/security/

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85

reference_url

https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4

reference_url

https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b

reference_url

https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241

reference_url

https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/

url

https://groups.google.com/g/django-announce

reference_url

https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

reference_url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases

reference_url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/

url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139
reference_id	1120139
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2412651
reference_id	2412651
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2412651

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py
reference_id	CVE-2025-64459
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-64459

reference_id

CVE-2025-64459

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-64459

reference_url

https://github.com/advisories/GHSA-frmv-pr5f-9mcr

reference_id

GHSA-frmv-pr5f-9mcr

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-frmv-pr5f-9mcr

reference_url	https://access.redhat.com/errata/RHSA-2025:23069
reference_id	RHSA-2025:23069
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23069

reference_url	https://access.redhat.com/errata/RHSA-2025:23070
reference_id	RHSA-2025:23070
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23070

reference_url	https://access.redhat.com/errata/RHSA-2025:23130
reference_id	RHSA-2025:23130
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23130

reference_url	https://access.redhat.com/errata/RHSA-2025:23131
reference_id	RHSA-2025:23131
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23131

reference_url	https://access.redhat.com/errata/RHSA-2025:23133
reference_id	RHSA-2025:23133
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23133

reference_url	https://access.redhat.com/errata/RHSA-2025:23196
reference_id	RHSA-2025:23196
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23196

reference_url	https://access.redhat.com/errata/RHSA-2026:1596
reference_id	RHSA-2026:1596
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1596

reference_url	https://usn.ubuntu.com/7859-1/
reference_id	USN-7859-1
reference_type
scores
url	https://usn.ubuntu.com/7859-1/

fixed_packages

url pkg:pypi/django@5.1.14

purl pkg:pypi/django@5.1.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3d6k-rdsh-k7hm

vulnerability	VCID-7jbt-5zw2-vff2

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.14

url pkg:pypi/django@5.2.8

purl pkg:pypi/django@5.2.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-32d1-b8f2-hud5

vulnerability	VCID-3ccr-92q5-aqfk

vulnerability	VCID-3d6k-rdsh-k7hm

vulnerability	VCID-5fbx-3yfb-fudx

vulnerability	VCID-62jv-ab6d-sqdb

vulnerability	VCID-63c7-mkxw-ufav

vulnerability	VCID-7jbt-5zw2-vff2

vulnerability	VCID-92bp-6kte-tyfs

vulnerability	VCID-92z2-3rbz-77h9

vulnerability	VCID-cbsj-1qqg-1ba6

vulnerability	VCID-cg44-thdw-cygg

vulnerability	VCID-enen-3w2h-g3b8

vulnerability	VCID-g22z-jue5-8udz

vulnerability	VCID-heum-8mwz-sbcw

vulnerability	VCID-j2uz-w2ur-7ud4

vulnerability	VCID-jma1-9ags-xbfm

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8

aliases BIT-django-2025-64459, CVE-2025-64459, GHSA-frmv-pr5f-9mcr, PYSEC-2025-108

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u15a-4ste-43cy

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0a1

Package Instance