December 2, 2025
Django 5.1.15 fixes one security issue with severity « high », one security issue with severity « moderate », and one bug in 5.1.14.
FilteredRelation column aliases on PostgreSQL¶FilteredRelation was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias() on
PostgreSQL.
Deserializer¶XML Serialization was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
django.core.serializers.xml_serializer.getInnerText() previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.
Fixed a regression in Django 5.1.14 where DisallowedRedirect was raised
by HttpResponseRedirect and
HttpResponsePermanentRedirect for URLs longer than 2048
characters. The limit is now 16384 characters (#36743).
déc. 03, 2025