Fluid Attacks Database

Description

Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-django	=3:3.2.19-1 \|\| =3:3.2.19-1+deb12u1 \|\| =3:3.2.19-1+deb12u1~bpo11+1 \|\| =3:3.2.19-1+deb12u2 \|\| =3:3.2.20-1 \|\| =3:3.2.20-1.1 \|\| =3:3.2.21-1 \|\| >=0 <3:3.2.25-0+deb12u1	3:3.2.25-0+deb12u1
debian 14	python-django	=3:4.2.23-1 \|\| =3:4.2.24-1 \|\| >=0 <3:4.2.25-1	3:4.2.25-1
debian 11	python-django	=2:2.2.24-1 \|\| =2:2.2.25-1~deb11u1 \|\| =2:2.2.26-1~deb11u1 \|\| =2:2.2.28-1~deb11u1 \|\| =2:2.2.28-1~deb11u2 \|\| =2:2.2.28-1~deb11u3 \|\| =2:2.2.28-1~deb11u4 \|\| =2:2.2.28-1~deb11u5 \|\| =2:2.2.28-1~deb11u6 \|\| =2:2.2.28-1~deb11u7 \|\| =2:2.2.28-1~deb11u8 \|\| >=0 <2:2.2.28-1~deb11u9	2:2.2.28-1~deb11u9
debian 13	python-django	=3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| >=0 <3:4.2.27-0+deb13u1	3:4.2.27-0+deb13u1
pypi	django	>=4.2 <4.2.25 \|\| >=5.1 <5.1.13 \|\| >=5.2 <5.2.7	4.2.25, 5.1.13, 5.2.7

Aliases

1. CVE-2025-596822. NVD-2025-596823. OSV-DEBIAN-2025-596824. OSV-2025-596825. GCVE-2025-596826. SECURITY-TRACKER-CVE-2025-59682

References

1. https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e2. https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de23. https://docs.djangoproject.com/en/dev/releases/security4. https://groups.google.com/g/django-announce5. https://www.djangoproject.com/weblog/2025/oct/01/security-releases6. http://www.openwall.com/lists/oss-security/2025/10/01/3