Relative Path Traversal

CVE-2025-59682

Medium

6.5/10

Summary

An issue was discovered in Django versions from 4.2a1 through 4.2.24, 5.1a1 through 5.1.12, 5.2a1 through 5.2.6, and 6.0a1. The "django.utils.archive.extract()" function, used by the "startapp --template" and "startproject --template" commands, allows Partial Directory Traversal via an archive with file paths sharing a common prefix with the target directory.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-23 - Relative Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

References

Advisory
Issue
Release Note

Advisory Timeline

Published Oct 01, 2025

Relative Path Traversal

CVE-2025-59682

Summary

CWE-23 - Relative Path Traversal

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS