CVE-2025-69662

NameCVE-2025-69662
DescriptionSQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4523-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-geopandas (PTS)bullseye0.8.2-1vulnerable
bullseye (security)0.8.2-1+deb11u1fixed
bookworm0.12.2-1vulnerable
trixie1.0.1-2vulnerable
forky, sid1.1.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-geopandassourcebullseye0.8.2-1+deb11u1DLA-4523-1
python-geopandassource(unstable)1.1.2-1

Notes

https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/
https://github.com/geopandas/geopandas/pull/3681
Fixed by: https://github.com/geopandas/geopandas/commit/6aa8ef14ffdee4ba1044349ab948e1a1fbfaf419 (main)
Fix backported in: https://github.com/geopandas/geopandas/commit/81214bf9f3eaba9f5fdcfd141ae8d16fa17fd860 (v1.1.2)
Search for package or bug name: Reporting problems