November 5, 2025
Django 5.2.8 fixes one security issue with severity "high", one security issue with severity "moderate", and several bugs in 5.2.7. It also adds compatibility with Python 3.14.
HttpResponseRedirect and HttpResponsePermanentRedirect on Windows¶Python's NFKC normalization is slow on
Windows. As a consequence, HttpResponseRedirect,
HttpResponsePermanentRedirect, and the shortcut
redirect() were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to CVE 2025-27556).
_connector keyword argument¶QuerySet.filter(), exclude(), get(),
and Q were subject to SQL injection using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.
Added compatibility for oracledb 3.4.0 (#36646).
Fixed a bug in Django 5.2 where QuerySet.first() and QuerySet.last()
raised an error on querysets performing aggregation that selected all fields
of a composite primary key (#36648).
Fixed a bug in Django 5.2 where proxy models having a CompositePrimaryKey
incorrectly raised a models.E042 system check error (#36704).
11月 21, 2025