December 2, 2025
Django 5.2.9 fixes one security issue with severity "high", one security issue with severity "moderate", and several bugs in 5.2.8.
FilteredRelation column aliases on PostgreSQL¶FilteredRelation was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias() on
PostgreSQL.
Deserializer¶XML Serialization was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
django.core.serializers.xml_serializer.getInnerText() previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.
Fixed a bug in Django 5.2 where
django.utils.feedgenerator.Stylesheet.__str__() did not escape
the url, mimetype, and media attributes, potentially leading
to invalid XML markup (#36733).
Fixed a bug in Django 5.2 on PostgreSQL where bulk_create() did not apply
a field's custom query placeholders (#36748).
Fixed a regression in Django 5.2.2 that caused a crash when using aggregate
functions with an empty Q filter over a queryset with annotations
(#36751).
Fixed a regression in Django 5.2.8 where DisallowedRedirect was raised by
HttpResponseRedirect and
HttpResponsePermanentRedirect for URLs longer than 2048
characters. The limit is now 16384 characters (#36743).
Fixed a crash on Python 3.14+ that prevented template tag functions from being registered when their type annotations required deferred evaluation (#36712).
12月 22, 2025