CVE-2025-57833研究分析
这两周研究了CVE-2025-57833这个django的sql注入漏洞,顺便做了一个开源复现环境,可供vscode源码调试,欢迎各位师傅使用,发现问题可发issue。
地址:https://gitee.com/hacja/cve_2025_57833_study
漏洞背景
CVE-2025-57833 An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
官方修复
django/db/models/sql/query.py的add_filtered_relation方法的最开头增加了一行
#django/db/models/sql/query.py的add_filtered_relation方法的最开头增加了一行
def add_filtered_relation(self, filtered_relation, alias):
+ self.check_alias(alias)filtered_relation.alias = alias