A critical vulnerability has been identified in the Django web framework, a widely used platform for web application development. This flaw, rated with a CVSS score of 9.1, could allow a remote attacker to execute malicious SQL commands against the application's database, potentially leading to a complete compromise of sensitive data, including customer information, financial records, and intellectual property. Immediate patching is required to prevent data breaches and maintain system integrity.

The vulnerability exists due to improper input validation when processing dictionary keys within specific Django Object-Relational Mapper (ORM) methods. The QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), and Q() objects are susceptible to SQL injection when passed a dictionary with crafted keys. An attacker can supply specially crafted key names in user-controlled input (e.g., from a JSON API endpoint) that are then unpacked into these methods. This allows the attacker to bypass sanitization mechanisms and inject arbitrary SQL, enabling them to read, modify, or delete data in the underlying database.

This vulnerability is classified as critical severity with a CVSS score of 9.1, posing a significant and immediate risk to the business. Successful exploitation could lead to a severe data breach, exposing sensitive customer data, personally identifiable information (PII), and confidential company records. The potential consequences include major financial losses from regulatory fines (e.g., GDPR, CCPA), loss of customer trust, significant reputational damage, and operational disruption if critical data is altered or deleted.

Immediate Action: Immediately update affected Django applications to a patched version: 5.1.14, 4.2.26, 5.2.8, or a later release. After patching, it is crucial to monitor for any signs of exploitation attempts that may have occurred prior to the update and review web server and database access logs for anomalous activity.

Proactive Monitoring:

• Implement enhanced logging for web application firewalls (WAF) to detect and alert on suspicious patterns in HTTP requests that resemble SQL injection syntax.
• Monitor database logs for unusual, complex, or long-running queries originating from the web application's service account.
• Review application-level logs for unexpected database errors or crashes, which could indicate failed exploitation attempts.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with strict SQL injection rule sets to block malicious requests before they reach the application.
• Enforce the principle of least privilege for the database user account associated with the Django application, restricting its permissions to only what is absolutely necessary and revoking permissions for commands like DROP or TRUNCATE.
• Implement strict server-side validation on the structure and keys of any dictionaries constructed from user-supplied input before they are passed to ORM methods.

Public Exploit Available: false

Given the critical CVSS score of 9.1, this vulnerability presents a clear and present danger to the organization. All teams responsible for applications built on Django must treat this as a top-priority security incident. The immediate patching of all affected instances to the recommended versions is the most effective and only complete remediation. While this vulnerability is not yet on the CISA KEV list, its severity makes it a likely candidate for future inclusion, and organizations should act now before it becomes actively exploited.