CVE-2025-59682

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.24 Django versions 5.1 through 5.1.12 Django versions 5.2 through 5.2.6

Description The django.utils.archive.extract() function allows for potential directory traversal when handling archives with file paths that share a common prefix with the target directory. This issue affects the "startapp --template" and "startproject --template" commands.

Recommendations Update to Django version 4.2.25 or later. Update to Django version 5.1.13 or later. Update to Django version 5.2.7 or later.

Fix

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23

Related Identifiers

BDU:2025-12661

BIT-DJANGO-2025-59682

CVE-2025-59682

DLA-4324-1

ECHO-3ACC-85CC-F3E5

GHSA-Q95W-C7QG-HRFF

MGASA-2025-0243

OESA-2025-2378

OESA-2025-2379

OESA-2025-2460

OESA-2025-2461

OESA-2025-2462

OESA-2025-2463

OPENSUSE-SU-2025:15596-1

OPENSUSE-SU-2025:15598-1

OPENSUSE-SU-2025:20022-1

OPENSUSE-SU-2026:10005-1

SUSE-SU-2025:03446-1

USN-7794-1

Affected Products

Debian

Django

Linuxmint

Red Os

Ubuntu

CVE-2025-59682

Weakness Enumeration

Related Identifiers

Affected Products

References · 123