chore(deps): update dependency django to v4 [security]#74

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/pypi-django-vulnerability

Contributor

renovate bot commented Jul 24, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
django (changelog)	`>=3,<4` → `>=4,<5`

GitHub Vulnerability Alerts

CVE-2024-45231

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

CVE-2025-48432

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

CVE-2025-57833

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

CVE-2025-64458

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, django.http.HttpResponseRedirect, django.http.HttpResponsePermanentRedirect, and the shortcut django.shortcuts.redirect were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.

CVE-2025-64459

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q(), are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.

Release Notes

django/django (django)

`v4.2.26`

`v4.2.25`

`v4.2.24`

`v4.2.23`

`v4.2.22`

`v4.2.21`

`v4.2.20`

`v4.2.19`

`v4.2.18`

`v4.2.17`

`v4.2.16`

`v4.2.15`

`v4.2.14`

`v4.2.13`

`v4.2.12`

`v4.2.11`

`v4.2.10`

`v4.2.9`

`v4.2.8`

`v4.2.7`

`v4.2.6`

`v4.2.5`

`v4.2.4`

`v4.2.3`

`v4.2.2`

`v4.2.1`

`v4.2`

`v4.1.13`

`v4.1.12`

`v4.1.11`

`v4.1.10`

`v4.1.9`

`v4.1.8`

`v4.1.7`

`v4.1.6`

`v4.1.5`

`v4.1.4`

`v4.1.3`

`v4.1.2`

`v4.1.1`

`v4.1`

`v4.0.10`

`v4.0.9`

`v4.0.8`

`v4.0.7`

`v4.0.6`

`v4.0.5`

`v4.0.4`

`v4.0.3`

`v4.0.2`

`v4.0.1`

`v4.0`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Member

dargmuesli commented Jul 24, 2025

Reading the changelogs LGTM, @soerface what do you think? Maybe you can try it out while working on your branches?

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 676e2b5 to ea22da5 Compare

July 27, 2025 14:00

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from ea22da5 to 6194e7a Compare

August 11, 2025 23:48

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 6194e7a to fc5b955 Compare

August 23, 2025 07:04

renovate bot changed the title ~~chore(deps): update dependency django to v4 [security]~~ chore(deps): update dependency django to v5 [security]

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from fc5b955 to 3282314 Compare

August 24, 2025 23:05

renovate bot changed the title ~~chore(deps): update dependency django to v5 [security]~~ chore(deps): update dependency django to v4 [security]

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 3282314 to cf9498f Compare

September 11, 2025 08:08

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from cf9498f to a70be8e Compare

September 25, 2025 19:29

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from a70be8e to 5146df3 Compare

October 6, 2025 04:26

renovate bot force-pushed the renovate/pypi-django-vulnerability branch 3 times, most recently from 03183ca to 8b00c17 Compare

November 11, 2025 00:00

renovate bot force-pushed the renovate/pypi-django-vulnerability branch 2 times, most recently from 70a92d3 to ecff4c0 Compare

November 25, 2025 14:37

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from ecff4c0 to b1148db Compare

December 31, 2025 17:41

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from b1148db to c1eea67 Compare

February 2, 2026 21:43

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from c1eea67 to d909431 Compare

February 12, 2026 17:58


          chore(deps): update dependency django to v4 [security]

b4587a9

renovate bot force-pushed the renovate/pypi-django-vulnerability branch from d909431 to b4587a9 Compare

March 13, 2026 17:06

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet