Skip to main content

Python CVE-2025-59682

| EUVD-2025-32692 LOW
Relative Path Traversal (CWE-23)
2025-10-01 cve@mitre.org GHSA-q95w-c7qg-hrff
Python Path Traversal Debian Ubuntu Django
3.1
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 18:18 euvd
EUVD-2025-32692
Analysis Generated
Mar 13, 2026 - 18:18 vuln.today
CVE Published
Oct 01, 2025 - 19:15 nvd
LOW 3.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 41 pypi packages depend on django (39 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.2.

DescriptionNVD

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Analysis

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

RemediationAI

Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

More from same product – last 7 days

CVE-2026-47269 HIGH
7.4 May 27

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH
CVE-2026-47271 MEDIUM
5.1 May 27

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently str
CVE-2026-45898
May 27

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removin
CVE-2026-45924
May 27

In the Linux kernel, the following vulnerability has been resolved: ksmbd: call ksmbd_vfs_kern_path_end_removing() on s
CVE-2026-45965
May 27

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_

Vendor StatusVendor

Ubuntu

Priority: Medium
python-django
Release Status Version
upstream released 4.2.25,5.1.13,5.2.7
bionic released 1:1.11.11-1ubuntu1.21+esm12
focal released 2:2.2.12-1ubuntu0.29+esm4
jammy released 2:3.2.12-2ubuntu1.22
noble released 3:4.2.11-1ubuntu1.11
plucky released 3:4.2.18-1ubuntu1.5
trusty released 1.6.11-0ubuntu1.3+esm8
xenial released 1.8.7-1ubuntu5.15+esm9
questing released 3:5.2.4-1ubuntu2
USN-7794-1

Debian

Bug #1116979
python-django
Release Status Fixed Version Urgency
bullseye fixed 2:2.2.28-1~deb11u9 -
bullseye (security) fixed 2:2.2.28-1~deb11u12 -
bookworm fixed 3:3.2.25-0+deb12u1 -
bookworm (security) fixed 3:3.2.25-0+deb12u2 -
trixie fixed 3:4.2.27-0+deb13u1 -
trixie (security) fixed 3:4.2.28-0+deb13u1 -
forky, sid fixed 3:4.2.29-1 -
(unstable) fixed 3:4.2.25-1 -
DLA-4324-1 DSA-6117-1 DSA-6136-1

Share

CVE-2025-59682 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy