Josh Schneier

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2 through 4.2.13 Django versions 5.0 through 5.0.6 **Description** The issue is related to derived classes of the `django.core.files.storage.Storage` base class that override the `generate filename()` function without replicating the file-path validations from the parent class. This potentially allows directory traversal via certain inputs during a `save()` call. The built-in Storage sub-classes are unaffected. The vulnerability is associated with incorrect restriction of the file path name, which may allow a remote attacker to write arbitrary files. **Recommendations** For Django versions 4.2 through 4.2.13, update to version 4.2.14 or later. For Django versions 5.0 through 5.0.6, update to version 5.0.7 or later. As a temporary workaround, consider disabling the `generate filename()` function in derived classes of `django.core.files.storage.Storage` until a patch is available. Restrict access to the `save()` method to minimize the risk of exploitation. Avoid using the `generate filename()` function without proper file-path validations until the issue is resolved.