High
resolved
resolved
SQL injection in JSONField KeyTransform
Bug reported by Eyal Gabay was disclosed at September 12, 2025, 12:28 am | SQL Injection
A vulnerability was discovered in the JSONField KeyTransform functionality of Django. The vulnerability allowed SQL injection attacks by crafting malicious user input for the .values() method. The vulnerability was demonstrated in the Django test suite, where a SQL syntax error was triggered by inputting a specifically crafted string.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
