CVE-2025-59682

Summary

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp –template" and "startproject –template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Affected Software

VendorProductVersion RangeStatus
djangoprojectDjango4.2 < 4.2.25affected
djangoprojectDjango5.1 < 5.1.13affected
djangoprojectDjango5.2 < 5.2.7affected

Weaknesses

  • CWE-23: CWE-23 Relative Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References