CVE-2025-59682
published 2025-10-01CVE-2025-59682: An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the…
PriorityP343medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.85%
53.6th percentile
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.25 | 4.2.25 |
| djangoproject | django | >= 4.2 < 4.2.25 | 4.2.25 |
| djangoproject | django | >= 4.2.0 < 4.2.25 | 4.2.25 |
| djangoproject | django | >= 5.1 < 5.1.13 | 5.1.13 |
| djangoproject | django | >= 5.1 < 5.1.13 | 5.1.13 |
| djangoproject | django | >= 5.2 < 5.2.7 | 5.2.7 |
| djangoproject | django | >= 5.2 < 5.2.7 | 5.2.7 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu7.1HIGH
vendor_debian3.1LOW
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django vulnerable to partial directory traversal via archives
osv·2025-10-01
CVE-2025-59682 [LOW] Django vulnerable to partial directory traversal via archives
Django vulnerable to partial directory traversal via archives
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
OSV
python-django vulnerabilities
osv·2025-10-01·CVSS 9.8
CVE-2025-59681 [CRITICAL] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled special characters in the
QuerySet function calls. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2025-59681)
It was discovered that Django incorrectly handled files with the same path
prefix when starting with a template. An attacker could possibly use this
issue to obtain sensitive information. (CVE-2025-59682)
GHSA
Django vulnerable to partial directory traversal via archives
ghsa·2025-10-01
CVE-2025-59682 [LOW] CWE-23 Django vulnerable to partial directory traversal via archives
Django vulnerable to partial directory traversal via archives
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
OSV
CVE-2025-59682: An issue was discovered in Django 4
osv·2025-10-01·CVSS 6.5
CVE-2025-59682 [MEDIUM] CVE-2025-59682: An issue was discovered in Django 4
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Red Hat
django: Potential partial directory-traversal via archive.extract()
vendor_redhat·2025-10-01·CVSS 3.1
CVE-2025-59682 [LOW] CWE-22 django: Potential partial directory-traversal via archive.extract()
django: Potential partial directory-traversal via archive.extract()
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
A flaw was found in Django. The django.utils.archive.extract() function, used by startapp --templateand startproject --template, allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria compr
Ubuntu
Django vulnerabilities
vendor_ubuntu·2025-10-01·CVSS 7.1
CVE-2025-59681 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled special characters in the
QuerySet function calls. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2025-59681)
It was discovered that Django incorrectly handled files with the same path
prefix when starting with a template. An attacker could possibly use this
issue to obtain sensitive information. (CVE-2025-59682)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-59682: python-django - An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 ...
vendor_debian·2025·CVSS 3.1
CVE-2025-59682 [LOW] CVE-2025-59682: python-django - An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 ...
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u9)
forky: resolved (fixed in 3:4.2.25-1)
sid: resolved (fixed in 3:4.2.25-1)
trixie: resolved (fixed in 3:4.2.27-0+deb13u1)
No detection rules found.
No public exploits indexed.
2025-10-01
Published