Understanding the February Django Security CVE Series

Overview of the February Django Security Release

On February 3, the Django Security Team published updates for:

• Django 4.2
• Django 5.2
• Django 6.0

The patched versions are:

• Django 4.2.28
• Django 5.2.11
• Django 6.0.2

These releases addressed six CVEs, including three high-severity SQL injection vulnerabilities, denial-of-service issues, and a low-severity information disclosure.

🔍 The CVEs at a Glance

High-Severity SQL Injection Issues

These are the most important fixes in the series.

• CVE-2026-1207: SQL injection via raster lookups on PostGIS backends. Affected applications using geographic queries with user-controlled input.
• CVE-2026-1287: SQL injection using control characters in column aliases. Demonstrates how edge-case inputs can bypass ORM assumptions.
• CVE-2026-1312: SQL injection via QuerySet.order_by() and FilteredRelation. Particularly relevant for apps that allow dynamic ordering or filtering.

Key takeaway: Even when using Django’s ORM correctly in most cases, dynamic query construction remains a high-risk area.

Denial-of-Service (DoS) Vulnerabilities

• CVE-2025-14550: Repeated HTTP headers in ASGI deployments could cause resource exhaustion.
• CVE-2026-1285: Malformed HTML input to django.utils.text.Truncator could trigger excessive processing.

These issues do not expose data, but they can degrade availability, especially in public-facing services.

Low-Severity Information Disclosure

• CVE-2025-13473: Username enumeration via timing differences when using mod_wsgi.

This vulnerability is limited in scope but reinforces the importance of constant-time authentication behavior.

Why This Matters (Even If You Trust the ORM)

Django’s ORM is designed to protect developers from SQL injection by default. However, the February CVEs illustrate a recurring security truth:

Security boundaries weaken when flexibility increases.

Common risk patterns include:

• Accepting user input for order_by() or annotations
• Building query expressions dynamically
• Supporting advanced database features such as GIS, JSON, or custom SQL fragments
• Processing untrusted HTML or large headers

None of these are mistakes on their own, but they require additional validation and constraints.

🛠 What Developers and Teams Should Do

1. Upgrade Immediately

If you are running:

• Django versions earlier than 4.2.28
• Django versions earlier than 5.2.11
• Django versions earlier than 6.0.2

You should upgrade as soon as possible.

2. Audit Dynamic Query Logic

Search your codebase for:

• order_by(request.GET[...])
• Dynamic annotations or aliases
• GIS lookups using user input
• Raw SQL or extra()

Ensure all inputs are explicitly allow-listed, not just sanitized.

3. Review ASGI and Edge-Case Input Handling

• Confirm request header limits are enforced, reverse proxies can help
• Avoid expensive text or HTML processing on untrusted input
• Rate-limit endpoints that accept complex parameters

4. Treat Framework Updates as Security Events

Even when CVEs are not labeled critical, framework security releases often fix:

• Edge cases
• Assumption violations
• Unexpected interaction between features

These are exactly the kinds of issues attackers look for.

Final Thoughts

The February Django CVE series is a good reminder that secure frameworks do not eliminate the need for secure design. Django continues to demonstrate strong security stewardship by identifying and fixing subtle vulnerabilities, but it is up to application teams to apply those fixes and review risky patterns.

If you use Django in production, these updates are not optional. They are part of responsible framework maintenance.

Source: https://docs.djangoproject.com/en/6.0/releases/security/