HIGH · CVSS 7.5
CVE-2024-42005 — Django QuerySet SQL injection via JSON key lookups
A SQL injection in Django's QuerySet.values() + JSON key lookups with untrusted input allowed attacker-controlled lookup paths to append arbitrary SQL.
Affects
- Django 4.2 < 4.2.15
- Django 5.0 < 5.0.8
What an attacker does
An API that exposes `.values('data__<user-input>')` or uses JSON field lookups with dynamic keys could let the attacker inject SQL via specially-crafted column names.
How to detect
`pip show django` — upgrade if below the patched version.
How to fix
Upgrade Django to 4.2.15+ / 5.0.8+.
How Securie catches it
Securie's Python scanner flags Django < patched + audits dynamic JSON key lookups.