CVE-2025-13372 is a vulnerability in the Django web framework impacting versions 4.2 prior to 4.2.27, 5.1 prior to 5.1.15, and 5.2 prior to 5.2.9. The issue arises from improper neutralization of special elements in SQL commands (CWE-89), specifically within the FilteredRelation feature when used with PostgreSQL databases. The vulnerability is triggered when developers use dictionary expansion (**kwargs) to pass dynamic column aliases to QuerySet.annotate() or QuerySet.alias(). By crafting a malicious dictionary, an attacker can inject SQL code into the column aliases, which are not properly sanitized before being incorporated into the SQL query. This can lead to SQL injection attacks that expose confidential data. The vulnerability does not require authentication but does require user interaction, such as submitting crafted input that reaches the vulnerable code path. The CVSS score is 4.3 (medium), reflecting a network attack vector with low complexity and no privileges required, but user interaction is necessary. The flaw affects PostgreSQL backends specifically, and earlier unsupported Django versions may also be vulnerable but were not evaluated. No public exploits have been reported yet. The Django project has acknowledged the issue and released patches in the specified versions to remediate the vulnerability.

For European organizations, this vulnerability poses a risk primarily to web applications built on affected Django versions using PostgreSQL databases. The SQL injection could allow attackers to extract sensitive data from the database, compromising confidentiality. Although the vulnerability does not affect integrity or availability directly, data leakage can have serious regulatory and reputational consequences, especially under GDPR. Organizations in sectors such as finance, healthcare, and government, which often handle sensitive personal or financial data, are at higher risk. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit. The medium severity indicates that while the risk is not critical, it is significant enough to warrant prompt attention to avoid data breaches. The lack of known exploits in the wild reduces immediate urgency but does not eliminate the threat, as attackers may develop exploits over time.

The primary mitigation is to upgrade Django installations to versions 4.2.27, 5.1.15, 5.2.9 or later where the vulnerability is patched. Organizations should audit their codebases for usage of FilteredRelation with dynamic dictionary expansion in QuerySet.annotate() or QuerySet.alias() and refactor to avoid passing untrusted input as column aliases. Implement strict input validation and sanitization on any user-supplied data that could influence query construction. Employ database activity monitoring to detect unusual or anomalous SQL queries indicative of injection attempts. Use Web Application Firewalls (WAFs) with rules tailored to detect SQL injection patterns specific to PostgreSQL. Conduct security testing, including static code analysis and penetration testing focused on ORM query construction. Educate developers about secure use of Django ORM features and the risks of dynamic query components. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.