How to fix CVE-2025-59682?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Is Python affected by CVE-2025-59682?

CVE-2025-59682 is a low-severity vulnerability in Django 4.2 (CVSS 3.1). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. Apply vendor updates when available as part of routine maintenance.

CVE-2025-59682

EUVD-2025-32692 LOW

2025-10-01 [email protected]

GHSA-q95w-c7qg-hrff

3.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 13, 2026 - 18:18 vuln.today

EUVD ID Assigned

Mar 13, 2026 - 18:18 euvd

EUVD-2025-32692

CVE Published

Oct 01, 2025 - 19:15 nvd

LOW 3.1

Description

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Analysis

Technical Context

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

Affected Products

Affected products: Djangoproject Django

Remediation

Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +16

POC: 0

Vendor Status

Ubuntu

Priority: Medium

python-django

Release	Status	Version
upstream	released	4.2.25,5.1.13,5.2.7
bionic	released	1:1.11.11-1ubuntu1.21+esm12
focal	released	2:2.2.12-1ubuntu0.29+esm4
jammy	released	2:3.2.12-2ubuntu1.22
noble	released	3:4.2.11-1ubuntu1.11
plucky	released	3:4.2.18-1ubuntu1.5
trusty	released	1.6.11-0ubuntu1.3+esm8
xenial	released	1.8.7-1ubuntu5.15+esm9
questing	released	3:5.2.4-1ubuntu2

USN-7794-1

Debian

Bug #1116979

python-django

Release	Status	Fixed Version	Urgency
bullseye	fixed	2:2.2.28-1~deb11u9	-
bullseye (security)	fixed	2:2.2.28-1~deb11u12	-
bookworm	fixed	3:3.2.25-0+deb12u1	-
bookworm (security)	fixed	3:3.2.25-0+deb12u2	-
trixie	fixed	3:4.2.27-0+deb13u1	-
trixie (security)	fixed	3:4.2.28-0+deb13u1	-
forky, sid	fixed	3:4.2.29-1	-
(unstable)	fixed	3:4.2.25-1	-

DLA-4324-1 DSA-6117-1 DSA-6136-1

CVE-2025-59682 vulnerability details – vuln.today

Back

CVE-2025-59682

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-59682

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code