Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.

Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2025-09-10 09:53:52 +0200
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-10-01 08:11:45 -0400
commit: 41b43c74bda19753c757036673ea9db74acf494a (patch)
tree: a5c7c19d5c4e952afaea9e62ef71e803c58589b0 /docs/releases
parent: 6c82b0bc91fc650891b0b411ac4a5a86cf0cf3e8 (diff)
3 files changed, 25 insertions, 2 deletions
diff --git a/docs/releases/4.2.25.txt b/docs/releases/4.2.25.txt
index 69f238c3c1..5412777055 100644
--- a/docs/releases/4.2.25.txt
+++ b/docs/releases/4.2.25.txt
@@ -7,4 +7,11 @@ Django 4.2.25 release notes
 Django 4.2.25 fixes one security issue with severity "high" and one security
 issue with severity "low" in 4.2.24.
 
-...
+CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
+======================================================================================================================================
+
+:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
+:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
+to SQL injection in column aliases, using a suitably crafted dictionary, with
+dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
+:cve:`2022-28346`).
diff --git a/docs/releases/5.1.13.txt b/docs/releases/5.1.13.txt
index a181694be2..96b81c0102 100644
--- a/docs/releases/5.1.13.txt
+++ b/docs/releases/5.1.13.txt
@@ -7,4 +7,11 @@ Django 5.1.13 release notes
 Django 5.1.13 fixes one security issue with severity "high" and one security
 issue with severity "low" in 5.1.12.
 
-...
+CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
+======================================================================================================================================
+
+:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
+:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
+to SQL injection in column aliases, using a suitably crafted dictionary, with
+dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
+:cve:`2022-28346`).
diff --git a/docs/releases/5.2.7.txt b/docs/releases/5.2.7.txt
index 11dcff6c7c..05d03a991e 100644
--- a/docs/releases/5.2.7.txt
+++ b/docs/releases/5.2.7.txt
@@ -8,6 +8,15 @@ Django 5.2.7 fixes one security issue with severity "high", one security issue
 with severity "low", and one bug in 5.2.6. Also, the latest string translations
 from Transifex are incorporated.
 
+CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
+======================================================================================================================================
+
+:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
+:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
+to SQL injection in column aliases, using a suitably crafted dictionary, with
+dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
+:cve:`2022-28346`).
+
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2025-09-10 09:53:52 +0200
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-10-01 08:11:45 -0400
commit	41b43c74bda19753c757036673ea9db74acf494a (patch)
tree	a5c7c19d5c4e952afaea9e62ef71e803c58589b0 /docs/releases
parent	6c82b0bc91fc650891b0b411ac4a5a86cf0cf3e8 (diff)