Mageia 9: Python-Django Important SQL Injection Threat MGASA-2025-0243
mageia
October 22, 2025
MGASA-2025-0243 - Updated python-django packages fix a security vulnerability
Summary
Description:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13,
and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection
in column aliases, when using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods (on MySQL
and MariaDB). (CVE-2025-59681)
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13,
and 5.2 before 5.2.7. The django.utils.archive.extract() function, used
by the "startapp --template" and "startproject --template" commands,
allows partial directory traversal via an archive with file paths
sharing a common prefix with the target directory. (CVE-2025-59682)
References
- https://bugs.mageia.org/show_bug.cgi?id=34645
- https://www.openwall.com/lists/oss-security/2025/10/01/3
- https://www.cve.org/CVERecord?id=CVE-2025-59681
- https://www.cve.org/CVERecord?id=CVE-2025-59682
Topics Covered
Resolution
SRPMS
- 9/core/python-django-4.1.13-1.7.mga9
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Publication date: 22 Oct 2025
URL: https://advisories.mageia.org/MGASA-2025-0243.html
Type: security
CVE: CVE-2025-59681,
CVE-2025-59682
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!