Django CVE-2025-57833

joel.edwards · September 10, 2025, 1:46pm

Hi everyone
I noticed Django released a patch for a critical vulnerability CVE-2025-57833 with potential SQL injection, which was also added to the LTS 4.2.24 release

I also see the platform’s Django version is pinned to <5.0

github.com/openedx/edx-platform

requirements/constraints.txt

master


      
          -c common_constraints.txt
          
          # Date: 2020-02-26
          # As it is not clarified what exact breaking changes will be introduced as per
          # the next major release, ensure the installed version is within boundaries.
          # Issue for unpinning: https://github.com/openedx/edx-platform/issues/35280
          celery>=5.2.2,<6.0.0
          
          # Date: 2024-02-02
          # Stay on LTS version, remove once this is added to common constraint
          Django<5.0
          
          # Date: 2020-02-10
          # django-oauth-toolkit version >=2.0.0 has breaking changes. More details
          # mentioned on this issue https://github.com/openedx/edx-platform/issues/32884
          # Issue for unpinning: https://github.com/openedx/edx-platform/issues/35277
          django-oauth-toolkit==1.7.1
          
          # Date: 2021-05-17
          # greater version has breaking changes and requires some migration steps.
          # Issue for unpinning: https://github.com/openedx/edx-platform/issues/35276

Does this mean that we’ll automatically get the new security patch or would a rebuild of openedx platform be required in order to pull in the latest patch? Does anyone have any knowledge about how this might potentially be exploited and what areas of the platform might be vulnerable in Openedx/tutor if left unpatched? I’ve done a rebuild recently so expect it should be up to date, this is just a case of curiosity

sarina · September 10, 2025, 3:17pm

@feanil could you comment here?

Tim_McCormack · September 11, 2025, 11:16am

Here’s where you can see the current version of Django that gets installed:

github.com/openedx/edx-platform

requirements/edx/base.txt

be0dc43c9


      
              #   social-auth-core
          cssutils==2.11.1
              # via pynliner
          defusedxml==0.7.1
              # via
              #   -r requirements/edx/kernel.in
              #   djangorestframework-xml
              #   ora2
              #   python3-openid
              #   social-auth-core
          django==4.2.24
              # via
              #   -c requirements/edx/../constraints.txt
              #   -r requirements/edx/kernel.in
              #   django-appconf
              #   django-autocomplete-light
              #   django-celery-results
              #   django-classy-tags
              #   django-config-models
              #   django-cors-headers
              #   django-crum

So at least on master, we should be on the patched version. (I haven’t checked if this has been backported to other branches.)

Tim_McCormack · September 11, 2025, 11:18am

(However, I also don’t see FilteredRelation used anywhere in the codebase, so it might be irrelevant? Not really sure, though – that might take a lot more digging, due to libraries.)

joel.edwards · September 11, 2025, 12:36pm

Thanks @Tim_McCormack,
Looks like it’s only in master and not on Teak.2 just yet, but I also couldn’t find any reference to the FilteredRelation function, I think that sufficiently satisfies my curiosity for now

Topic		Replies	Views
Django 5.2 Upgrade Plan 🚀 Maintainers	7	225	May 19, 2025
Django-require change repository Site Operators tutor	1	184	March 8, 2024
Quince.2 has been tagged Working Groups	0	160	February 9, 2024
Juniper.3 has been tagged Releases	2	832	August 27, 2020
Juniper is here! Releases juniper	5	2162	June 19, 2020

Django CVE-2025-57833

Related topics