December 2, 2025
Django 4.2.27 fixes one security issue with severity "high", one security issue with severity "moderate", and one bug in 4.2.26.
FilteredRelation column aliases on PostgreSQL¶FilteredRelation was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias() on
PostgreSQL.
Deserializer¶XML Serialization was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
django.core.serializers.xml_serializer.getInnerText() previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.
Fixed a regression in Django 4.2.26 where DisallowedRedirect was raised
by HttpResponseRedirect and
HttpResponsePermanentRedirect for URLs longer than 2048
characters. The limit is now 16384 characters (#36743).
12月 22, 2025