CVE-2025-59682

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-59682

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59682.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-59682

Aliases

Downstream

DEBIAN-CVE-2025-59682

DLA-4324-1

OESA-2025-2378

OESA-2025-2379

OESA-2025-2460

OESA-2025-2461

OESA-2025-2462

OESA-2025-2463

RHSA-2025:18979

RHSA-2025:19201

SUSE-SU-2025:03446-1

UBUNTU-CVE-2025-59682

USN-7794-1

Related

Published

2025-10-01T19:15:37Z

Modified

2025-11-06T06:19:06.600855Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type: GIT
Repo: https://github.com/django/django
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

57d20b2485e7cd2f029dbf49fb5510b2a6f12c48

Affected versions

1.*

1.0

1.1

1.2

1.2.1

1.3

1.4

1.7a1

1.7a2

4.*

4.2

4.2.1

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.15

4.2.16

4.2.17

4.2.18

4.2.19

4.2.2

4.2.20

4.2.21

4.2.22

4.2.23

4.2.24

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2a1

4.2b1

4.2rc1