Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

Django: CVE-2025-64459

Max room.

Explore and learn about the Django CVE-2025-64459 vulnerability.

easy

60 min

4,096

User profile photo.
User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Django is a widely used Python web framework that exposes Object-Relational Mapping () layer to let developers query databases using familiar Python syntax. That convenience becomes a liability when user input is fed straight into calls without validation. In particular, some applications expand request parameter dictionaries directly into filter(), exclude() or get() calls. For example, filter(**request.GET.dict()) inadvertently allows an attacker to supply internal query-control parameters.

Illustration of a syringe injecting red fluid into a database server icon, symbolizing a SQL injection attack compromising the integrity of the database.

A critical vulnerability exists where specially crafted query parameters such as _connector and _negated can be injected into those calls. By manipulating how query clauses are combined or inverted, an attacker can alter the logical structure of database queries leading to unauthorised data access, authentication bypasses, or privilege escalation. The issue is high-severity ( ~9.1) and straightforward to exploit in many common coding patterns.

This room will explain what makes the flaw possible, show how to identify the risky code pattern in a codebase, demonstrate practical exploitation in an isolated lab environment, and walk through remediation and detection strategies so the same mistake is not repeated in production.

Answer the questions below

Let's dive in!