Skip to main content

Python CVE-2025-59682

| EUVDEUVD-2025-32692 LOW
Relative Path Traversal (CWE-23)
2025-10-01 cve@mitre.org GHSA-q95w-c7qg-hrff
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Ubuntu
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 18:18 euvd
EUVD-2025-32692
Analysis Generated
Mar 13, 2026 - 18:18 vuln.today
CVE Published
Oct 01, 2025 - 19:15 nvd
LOW 3.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 41 pypi packages depend on django (39 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.2.

DescriptionCVE.org

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Analysis

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

RemediationAI

Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

Ubuntu

Priority: Medium
python-django
Release Status Version
upstream released 4.2.25,5.1.13,5.2.7
bionic released 1:1.11.11-1ubuntu1.21+esm12
focal released 2:2.2.12-1ubuntu0.29+esm4
jammy released 2:3.2.12-2ubuntu1.22
noble released 3:4.2.11-1ubuntu1.11
plucky released 3:4.2.18-1ubuntu1.5
trusty released 1.6.11-0ubuntu1.3+esm8
xenial released 1.8.7-1ubuntu5.15+esm9
questing released 3:5.2.4-1ubuntu2

Debian

Bug #1116979
python-django
Release Status Fixed Version Urgency
bullseye fixed 2:2.2.28-1~deb11u9 -
bullseye (security) fixed 2:2.2.28-1~deb11u12 -
bookworm fixed 3:3.2.25-0+deb12u1 -
bookworm (security) fixed 3:3.2.25-0+deb12u2 -
trixie fixed 3:4.2.27-0+deb13u1 -
trixie (security) fixed 3:4.2.28-0+deb13u1 -
forky, sid fixed 3:4.2.29-1 -
(unstable) fixed 3:4.2.25-1 -

Share

CVE-2025-59682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy