What is CVE-2024-56374?

A SQL injection vulnerability in Django's QuerySet.annotate(), aggregate(), and extra() methods allows attackers to execute arbitrary SQL through unsanitized user-controlled input in certain conditions.

How do I fix CVE-2024-56374?

Upgrade Django to 4.2.17+, 5.0.10+, or 5.1.4+ immediately. Audit all QuerySet.annotate(), aggregate(), and extra() calls for user-controlled inputs. Never pass raw user input directly to Django ORM annotation/aggregation methods. Use Django's parameterized queries (Func(), Value(), etc.) instead of raw strings. Enable SQL query logging in staging to detect suspicious patterns. Run django.test.utils.CaptureQueriesContext to audit queries in tests.

Which versions are affected by CVE-2024-56374?

Affected: Django < 4.2.17, < 5.0.10, < 5.1.4. Fixed in: Django 4.2.17+, 5.0.10+, 5.1.4+.

highCVSS 7.5/10·Published: 2024-12-19·Django

How to fix CVE-2024-56374 – Step-by-Step Guide

CVE-2024-56374 addresses a high-severity SQL injection vulnerability in Django. This critical flaw affects applications using Django's ORM methods like QuerySet.annotate() with untrusted input. Immediate action is required to protect your Django projects.

CVE ID

CVE-2024-56374

Severity

HIGH

CVSS Score

7.5/10

Affected

Django

What is Django SQL Injection via QuerySet.annotate()?

CVE-2024-56374 is a SQL injection flaw in Django's ORM, specifically impacting QuerySet.annotate(), aggregate(), and extra() methods. It arises when unsanitized, user-controlled input is directly passed, allowing attackers to inject and execute arbitrary SQL commands against the database. This bypasses ORM protections.

Affected Versions

Django < 4.2.17, < 5.0.10, < 5.1.4

Fixed In

Django 4.2.17+, 5.0.10+, 5.1.4+

Official References

Impact and Risks for your Infrastructure

Successful exploitation of this SQL injection can lead to severe consequences, including unauthorized data exfiltration from your database. Attackers could also bypass authentication mechanisms or manipulate database records, compromising data integrity and confidentiality. This poses a significant risk to application security and sensitive information.

djangosql-injectionpythonhigh2024

Step-by-Step Mitigation Guide

To mitigate CVE-2024-56374, upgrade your Django installation immediately to version 4.2.17+, 5.0.10+, or 5.1.4+. After upgrading, verify the fix by checking your installed Django version. Ensure all user-supplied input to ORM methods like annotate() is properly sanitized or validated to prevent future injection attempts.

1Upgrade Django to 4.2.17+, 5.0.10+, or 5.1.4+ immediately.
2Audit all QuerySet.annotate(), aggregate(), and extra() calls for user-controlled inputs.
3Never pass raw user input directly to Django ORM annotation/aggregation methods.
4Use Django's parameterized queries (Func(), Value(), etc.) instead of raw strings.
5Enable SQL query logging in staging to detect suspicious patterns.
6Run django.test.utils.CaptureQueriesContext to audit queries in tests.

Frequently Asked Questions

What is the CVSS score for CVE-2024-56374?▼

CVE-2024-56374 has a CVSS score of 7.5/10 (high severity). This reflects a significant security risk that should be addressed promptly.

Which versions of Django are affected?▼

Affected: Django < 4.2.17, < 5.0.10, < 5.1.4. The vulnerability was fixed in: Django 4.2.17+, 5.0.10+, 5.1.4+.

How long does it take to fix CVE-2024-56374?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2024-56374 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a high-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.