CVE-2025-59682 — Relative Path Traversal in Django

CWE-23 — Relative Path Traversal CWE-22 — Path Traversal9 documents7 sources

Severity

6.5MEDIUMNVD

CNA3.1OSV9.8

EPSS

0.0%

top 94.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedOct 1

Description

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5djangoproject/django4.2 — 4.2.25+2

▶NVDdjangoproject/django4.2.0 — 4.2.25+2

▶PyPIdjangoproject/django4.2 — 4.2.25+2

🔴Vulnerability Details

OSV

Django vulnerable to partial directory traversal via archives↗2025-10-01

▶

CVEList

CVE-2025-59682: An issue was discovered in Django 4↗2025-10-01

▶

OSV

python-django vulnerabilities↗2025-10-01

▶

GHSA

Django vulnerable to partial directory traversal via archives↗2025-10-01

▶

OSV

CVE-2025-59682: An issue was discovered in Django 4↗2025-10-01

▶

📋Vendor Advisories

Red Hat

django: Potential partial directory-traversal via archive.extract()↗2025-10-01

▶

Ubuntu

Django vulnerabilities↗2025-10-01

▶

Debian

CVE-2025-59682: python-django - An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 ...↗2025

▶