Threat Research

Django’s New SQLi & DoS Flaws: Why Your WAF Won’t Save You — A CISO’s Guide

Executive CISO guide for CVE-2025-64459 (SQLi) & CVE-2025-64458 (DoS) affecting Django ORM query composition. Patch, detect, and mitigate.

By CyberDudeBivash Research • Published: Nov 6, 2025 •

TL;DR — What CISOs must do right now

Patch immediately: upgrade Django to the vendor-published security releases.
Search for patterns that call **kwargs into ORM methods and replace with whitelisted mapping.
Enable ORM SQL logging and deploy detection rules in SIEM to look for unusual connector tokens and query shapes.

Contents:

Context & Scope
Technical Overview
Safe PoC / Lab
WAF Limitations
Mitigations & Patch Checklist
Detections (Sigma/KQL/Splunk)
IR Playbook + Templates
30/60/90 Plan & Appendices

Context & Scope

Short: Django security releases address two related vulnerabilities affecting ORM expression merging when applications pass dictionary-expanded kwargs or accept special internal tokens from untrusted input.

Technical Overview

The bug occurs during QuerySet expression merging. When user-controlled dictionaries are expanded into query methods (filter(**user_filters)), specially-crafted keys or tokens may influence how expression trees are composed, producing unparameterized SQL fragments or resource-heavy queries.

Vulnerable pattern

# Example vulnerable pattern (escaped braces)
filters = {}  # attacker-controlled mapping
for k,v in request.GET.items():
    filters[k] = v
qs = MyModel.objects.filter(**filters)

Lab-safe PoC summary

Test only in an isolated environment. The goal: verify that the ORM emits unexpected SQL fragments when given malformed keys — do not exfiltrate data.

Lab setup

Ubuntu 22.04, Python 3.11 virtualenv
Django pre-patch (5.2.x before vendor fix), MySQL/MariaDB
Enable django.db.backends logging to capture generated SQL

Why WAFs often won’t stop this

WAFs detect raw SQL and known signatures. This issue manipulates server-side composition semantics; requests look like normal JSON/form data. Therefore WAFs are stopgap—not a primary fix.

Immediate Mitigations & Patch Checklist

Patch: upgrade Django to the official security releases from the project.
Search for and fix patterns that pass untrusted **kwargs into ORM calls. Replace with explicit mapping/whitelist.
Deploy SIEM detection rules for unusual tokens (see detections block below).
Enable temporary controls: throttle/filter endpoints, disable dynamic filters where feasible.

Detection examples

Use these as templates — tune to reduce false positives.

Sigma starter

title: Suspicious ORM connector token
detection:
  selection:
    QueryString|contains:
      - "_connector"
      - "__raw__"
  condition: selection
level: high

KQL starter (Azure Sent)

AppRequests
| where Url contains "filter" or Url contains "search"
| where RequestBody contains "_connector"
| summarize count() by bin(TimeGenerated, 5m), Url, ClientIP
| where count_ > 20

Incident Response — first actions (0–4 hours)

Start emergency patch window for public-facing and admin services.
Disable dynamic filtering endpoints if rollback is faster than patching.
Enable verbose ORM logging and capture SQL logs.
Apply short-term WAF rules to block requests with suspicious keys or characters.

Communication templates

Internal exec brief (subject): Urgent: Django SQLi & DoS vulnerabilities — Immediate Patch Action Required

30/60/90 Day plan (summary)

30 days: Patch all critical systems and roll regressions.
60 days: Audit codebase, add tests, build ORM-safe builder functions.
90 days: Purple-team exercises and update secure dev training.

Book Emergency Patch Assistance Daily CVEs & Threat Intel

Affiliate disclosure: This post may include affiliate links. CyberDudeBivash may earn commission at no extra cost to you.

#Django #SQLi #SQLinjection #RCE #DoS #WAFBypass #CyberDudeBivash #IncidentResponse #MDR #ThreatHunting #VAPT #Python #CVE #CVE202551501

Cyberdudebivash