Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8) - #CVE-2024-42005
Security updates have been released for Django versions 5.0.8 and 4.2.15 to address multiple vulnerabilities, including a critical SQL injection vulnerability (CVE-2024-42005, CVSS score 9.8) that affects QuerySet.values() and values\_list() methods on models with a JSONField. Additional vulnerabilities cover potential denial-of-service (DoS) attacks through the floatformat template filter (CVE-2024-41989, CVSS 7.5), as well as the urlize() and urlizetrunc() template filters (CVE-2024-41990 and CVE-2024-41991, both CVSS 7.5). The affected versions include the Django main branch, Django 5.1 (release candidate status), Django 5.0, and Django 4.2. Users are strongly encouraged to upgrade to the latest patched versions immediately to mitigate these security risks.