CVE-2025-59682 LOW

CVE-2025-59682

Vendor Djangoproject

Product Django

Weakness CWE-23

Published October 1, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

3.1/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Key dates

02Disclosure timeline

October 1, 2025 CVE published

November 4, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59682 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/23.html

Related vulnerabilities

Identifiers

CVE CVE-2025-59682

CWE CWE-23

CVSS 3.1 / LOW

Affected versions

Vendor Djangoproject

Product Django

Affected ≥ 4.2 and < 4.2.25

Vendor Djangoproject

Product Django

Affected ≥ 5.1 and < 5.1.13

Vendor Djangoproject

Product Django

Affected ≥ 5.2 and < 5.2.7

CVE-2025-59682

01Description

02Disclosure timeline

03References

04Related CVE