Relative Path Traversal in Django
CVE-2025-59682
- Django
Summary
An issue was discovered in Django versions from 4.2a1 through 4.2.24, 5.1a1 through 5.1.12, 5.2a1 through 5.2.6, and 6.0a1. The "django.utils.archive.extract()" function, used by the "startapp --template" and "startproject --template" commands, allows Partial Directory Traversal via an archive with file paths sharing a common prefix with the target directory.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- HIGH
- NONE
CWE-23 - Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
References
Advisory Timeline
- Published
