November 5, 2025
Django 5.2.8 fixes one security issue with severity « high », one security issue with severity « moderate », and several bugs in 5.2.7. It also adds compatibility with Python 3.14.
HttpResponseRedirect and HttpResponsePermanentRedirect on Windows¶Python’s NFKC normalization is slow on
Windows. As a consequence, HttpResponseRedirect,
HttpResponsePermanentRedirect, and the shortcut
redirect() were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to CVE 2025-27556).
_connector keyword argument¶QuerySet.filter(), exclude(), get(),
and Q were subject to SQL injection using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.
Added compatibility for oracledb 3.4.0 (#36646).
Fixed a bug in Django 5.2 where QuerySet.first() and QuerySet.last()
raised an error on querysets performing aggregation that selected all fields
of a composite primary key (#36648).
Fixed a bug in Django 5.2 where proxy models having a CompositePrimaryKey
incorrectly raised a models.E042 system check error (#36704).
déc. 03, 2025