CVE-2022-28347 in Django
Summary
by MITRE • 04/12/2022
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/09/2026
The vulnerability CVE-2022-28347 represents a critical SQL injection flaw within the Django web framework's QuerySet.explain() method, affecting multiple versions including Django 2.2 prior to 2.2.28, 3.2 prior to 3.2.13, and 4.0 prior to 4.0.4. This issue arises from improper input validation when processing the **options argument in the explain() method, which is used to provide execution plans for SQL queries. The vulnerability stems from the framework's handling of dictionary expansion where crafted dictionary keys can be manipulated to inject malicious SQL commands into the query execution process. This flaw operates at the intersection of application-level security and database interaction, making it particularly dangerous as it allows attackers to potentially execute arbitrary SQL commands against the underlying database.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious dictionary with carefully constructed keys that are then expanded and processed within the SQL query generation logic. The injection payload is placed directly into an option name rather than a value, which bypasses typical input sanitization mechanisms that might otherwise detect and prevent SQL injection attempts. This approach leverages the dictionary expansion feature of Python's argument handling, where **options allows for multiple keyword arguments to be passed simultaneously, creating an attack surface where the keys themselves become part of the SQL query construction process. The vulnerability is classified as CWE-89 SQL Injection, which is a well-documented weakness in software applications that improperly handle user input in SQL queries, and it aligns with ATT&CK technique T1071.004 Application Layer Protocol: DNS where attackers may use such vulnerabilities to manipulate database communications.
The operational impact of this vulnerability is severe as it allows attackers to execute arbitrary SQL commands on the database server, potentially leading to data exfiltration, data corruption, privilege escalation, or complete database compromise. An attacker with access to an application using affected Django versions could exploit this vulnerability to bypass authentication mechanisms, extract sensitive information, modify or delete database records, or even gain shell access to the database server. The vulnerability affects applications that utilize the QuerySet.explain() method for debugging or performance monitoring purposes, making it particularly insidious as it may not be immediately obvious during normal application operation. The risk is amplified because the injection occurs during query plan generation rather than actual query execution, meaning that even legitimate administrative functions could be compromised.
Organizations using affected Django versions should immediately apply the security patches released by the Django project to mitigate this vulnerability. The recommended mitigation strategy involves upgrading to Django versions 2.2.28, 3.2.13, or 4.0.4, which contain the necessary fixes to properly sanitize input parameters in the QuerySet.explain() method. Additionally, security teams should implement comprehensive monitoring of database query execution and conduct thorough code reviews to identify any other potential injection points within their applications. Network segmentation and database access controls should be reinforced to limit the potential impact of successful exploitation, while application firewalls and intrusion detection systems should be configured to detect unusual database query patterns that may indicate exploitation attempts. The vulnerability underscores the importance of proper input validation and parameter sanitization in all database interaction components, reinforcing industry best practices outlined in OWASP Top Ten and NIST cybersecurity guidelines for preventing injection vulnerabilities in web applications.