Django 5.2.8 リリースノート¶
November 5, 2025
Django 5.2.8 fixes one security issue with severity "high", one security issue with severity "moderate", and several bugs in 5.2.7. It also adds compatibility with Python 3.14.
CVE-2025-64458: Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows¶
Python's NFKC normalization is slow on
Windows. As a consequence, HttpResponseRedirect,
HttpResponsePermanentRedirect, and the shortcut
redirect() were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to CVE 2025-27556).
CVE-2025-64459: Potential SQL injection via _connector keyword argument¶
QuerySet.filter(), exclude(), get(),
and Q were subject to SQL injection using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.
バグ修正¶
oracledb3.4.0 との互換性を追加しました (#36646).。Fixed a bug in Django 5.2 where
QuerySet.first()andQuerySet.last()raised an error on querysets performing aggregation that selected all fields of a composite primary key (#36648).Fixed a bug in Django 5.2 where proxy models having a
CompositePrimaryKeyincorrectly raised amodels.E042system check error (#36704).
