December 2, 2025
Django 5.2.9 fixes one security issue with severity « high », one security issue with severity « moderate », and several bugs in 5.2.8.
FilteredRelation column aliases on PostgreSQL¶FilteredRelation was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias() on
PostgreSQL.
Deserializer¶XML Serialization was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
django.core.serializers.xml_serializer.getInnerText() previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.
Fixed a bug in Django 5.2 where
django.utils.feedgenerator.Stylesheet.__str__() did not escape
the url, mimetype, and media attributes, potentially leading
to invalid XML markup (#36733).
Fixed a bug in Django 5.2 on PostgreSQL where bulk_create() did not apply
a field’s custom query placeholders (#36748).
Fixed a regression in Django 5.2.2 that caused a crash when using aggregate
functions with an empty Q filter over a queryset with annotations
(#36751).
Fixed a regression in Django 5.2.8 where DisallowedRedirect was raised by
HttpResponseRedirect and
HttpResponsePermanentRedirect for URLs longer than 2048
characters. The limit is now 16384 characters (#36743).
Fixed a crash on Python 3.14+ that prevented template tag functions from being registered when their type annotations required deferred evaluation (#36712).
déc. 03, 2025