Introduction to Django CVE-2025-64459

CVE-2025-64459 is a SQL Injection exploit found in multiple django versions in 2025. The exploit involves passing arbitrary SQL fragments to the _connector kwarg in Django QuerySet's and Q objects, which are part of the Django ORM.

Query parameters are standard browser feature used to store data about the current page so that it can be saved in browser history. On this site, query parameters are used to be able to search for blog posts. These query parameters are than passwed to django, where it filters what blog posts to show based on the value of the query parameters. the exploit is done by setting ?_connector=OR 1=1 OR in the URL. This changes the SQL query being run by Django to return ALL results. This is becuase because 1=1 is part of an OR statement, so every row matches the query.

Try it out to find the next article:

https://cve.hyperf.app?_connector=OR 1=1 OR