Back to blog
PythonDjangoSQL injection

Python and Django: why CVE-2025-64459 should be taken seriously

Published on 2026-04-116 min readCleanIssue

> TL;DR: CVE-2025-64459 showed that even a trusted ORM layer can expose SQL injection risk in specific conditions. Here is why this Django flaw should be...

An important flaw in an ecosystem often seen as careful by default

Django has a strong security reputation. That is exactly why CVE-2025-64459 is worth studying. According to the Django-linked security release information and the NVD entry, QuerySet.filter(), exclude(), get(), and the Q() class could be subject to SQL injection when used with a specially crafted dictionary expanded into the _connector argument.

Why this matters

The lesson is not that Django ORM is broadly unsafe. The more useful lesson is that safe abstractions are still conditional. They reduce risk dramatically, but they do not remove it by magic when unusual usage patterns appear.

The CVE lists fixed versions including 5.1.14, 4.2.26, and 5.2.8.

What this says about Python web development

Python attracts many teams that value readability, delivery speed, and strong framework defaults. That is a good foundation. But that culture can also create too much confidence in higher-level abstractions.

As soon as usage drifts away from common patterns, disciplined review becomes necessary again.

The real lesson

With Django, many developers correctly believe they avoid a large class of classic SQL injection mistakes. But the right habit is not to say the ORM always protects us. The right habit is to know which security assumptions the ORM really guarantees, and which edge cases fall outside those assumptions.

What Django teams should verify

  • framework versions in production;
  • unusual uses of Q() and dictionary expansion;
  • shared helper code reused across projects;
  • internal applications that tend to receive less scrutiny than public products.
  • Our view

    CVE-2025-64459 is a strong Python web example because it hits a major trust anchor in the ecosystem: the belief that the framework absorbs almost all low-level query risk.

    The useful conclusion is not distrust Django. It is distrust broad certainty about what the framework covers in every edge case.

    Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit