Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in column aliases on PostgreSQL.

Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-11-17 17:09:54 -0500
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-12-02 09:21:07 -0300
commit: 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e (patch)
tree: eb7a0093990c453a453a178f67e3302da24df188 /docs/releases
parent: cb1d2854ed2b13799f2b0cc6e04019df181bacd4 (diff)
3 files changed, 24 insertions, 0 deletions
diff --git a/docs/releases/4.2.27.txt b/docs/releases/4.2.27.txt
index 7ffa5fa458..e95dc63f74 100644
--- a/docs/releases/4.2.27.txt
+++ b/docs/releases/4.2.27.txt
@@ -7,6 +7,14 @@ Django 4.2.27 release notes
 Django 4.2.27 fixes one security issue with severity "high", one security issue
 with severity "moderate", and one bug in 4.2.26.
 
+CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
+============================================================================================
+
+:class:`.FilteredRelation` was subject to SQL injection in column aliases,
+using a suitably crafted dictionary, with dictionary expansion, as the
+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
+PostgreSQL.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/5.1.15.txt b/docs/releases/5.1.15.txt
index 2c4e029590..f55623ea96 100644
--- a/docs/releases/5.1.15.txt
+++ b/docs/releases/5.1.15.txt
@@ -7,6 +7,14 @@ Django 5.1.15 release notes
 Django 5.1.15 fixes one security issue with severity "high", one security issue
 with severity "moderate", and one bug in 5.1.14.
 
+CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
+============================================================================================
+
+:class:`.FilteredRelation` was subject to SQL injection in column aliases,
+using a suitably crafted dictionary, with dictionary expansion, as the
+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
+PostgreSQL.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/5.2.9.txt b/docs/releases/5.2.9.txt
index 9dfcc392a0..08c298999a 100644
--- a/docs/releases/5.2.9.txt
+++ b/docs/releases/5.2.9.txt
@@ -7,6 +7,14 @@ Django 5.2.9 release notes
 Django 5.2.9 fixes one security issue with severity "high", one security issue
 with severity "moderate", and several bugs in 5.2.8.
 
+CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
+============================================================================================
+
+:class:`.FilteredRelation` was subject to SQL injection in column aliases,
+using a suitably crafted dictionary, with dictionary expansion, as the
+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
+PostgreSQL.
+
 Bugfixes
 ========
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-11-17 17:09:54 -0500
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-12-02 09:21:07 -0300
commit	5b90ca1e7591fa36fccf2d6dad67cf1477e6293e (patch)
tree	eb7a0093990c453a453a178f67e3302da24df188 /docs/releases
parent	cb1d2854ed2b13799f2b0cc6e04019df181bacd4 (diff)