Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-n2v7-jqjy-37bc

Summary

Django vulnerable to partial directory traversal via archives
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Aliases

alias	CVE-2025-59682

alias	GHSA-q95w-c7qg-hrff

Fixed_packages

url pkg:pypi/django@4.2.25

purl pkg:pypi/django@4.2.25

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4kcg-gx5y-cuaw

vulnerability	VCID-7c5n-nzwk-v7bz

vulnerability	VCID-fcg9-xypn-ykhf

vulnerability	VCID-ga69-9y5g-77c3

vulnerability	VCID-ga7z-wj4j-63h1

vulnerability	VCID-jybd-p65h-xffy

vulnerability	VCID-kxdd-yzp3-r7cb

vulnerability	VCID-phkp-9abp-f3dq

vulnerability	VCID-r1vx-vv7d-gqaj

vulnerability	VCID-shch-yusm-1uck

vulnerability	VCID-shjc-2j68-2yfy

vulnerability	VCID-tktt-vg92-6kae

vulnerability	VCID-tuqc-c251-h7ds

vulnerability	VCID-wa3g-27sx-mbcw

vulnerability	VCID-whgc-pt2s-77ar

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.25

url pkg:pypi/django@5.1.13

purl pkg:pypi/django@5.1.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7c5n-nzwk-v7bz

vulnerability	VCID-fcg9-xypn-ykhf

vulnerability	VCID-ga69-9y5g-77c3

vulnerability	VCID-whgc-pt2s-77ar

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.13

url pkg:pypi/django@5.2.7

purl pkg:pypi/django@5.2.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4kcg-gx5y-cuaw

vulnerability	VCID-7c5n-nzwk-v7bz

vulnerability	VCID-abpe-htm1-9ubp

vulnerability	VCID-eqsc-axng-ckca

vulnerability	VCID-fcg9-xypn-ykhf

vulnerability	VCID-ga69-9y5g-77c3

vulnerability	VCID-ga7z-wj4j-63h1

vulnerability	VCID-jybd-p65h-xffy

vulnerability	VCID-kxdd-yzp3-r7cb

vulnerability	VCID-m4am-h2ea-3ffr

vulnerability	VCID-phkp-9abp-f3dq

vulnerability	VCID-r1vx-vv7d-gqaj

vulnerability	VCID-shch-yusm-1uck

vulnerability	VCID-shjc-2j68-2yfy

vulnerability	VCID-tktt-vg92-6kae

vulnerability	VCID-tuqc-c251-h7ds

vulnerability	VCID-wa3g-27sx-mbcw

vulnerability	VCID-whgc-pt2s-77ar

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.7

Affected_packages

url pkg:pypi/django@4.2

purl pkg:pypi/django@4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ft7-rbey-kuhx

vulnerability	VCID-4kcg-gx5y-cuaw

vulnerability	VCID-5xtt-au84-zbb2

vulnerability	VCID-7c5n-nzwk-v7bz

vulnerability	VCID-7upw-5p86-8bfr

vulnerability	VCID-9gq3-whr8-s7b8

vulnerability	VCID-9kvc-1bdz-n3bd

vulnerability	VCID-am3f-c5ex-8ff2

vulnerability	VCID-bb8b-hq41-s7a6

vulnerability	VCID-e12b-tw2c-53c9

vulnerability	VCID-e8j6-mybr-17fh

vulnerability	VCID-f4a7-tcz5-byfj

vulnerability	VCID-fcg9-xypn-ykhf

vulnerability	VCID-fsaw-3ta1-x3dw

vulnerability	VCID-ga69-9y5g-77c3

vulnerability	VCID-ga7z-wj4j-63h1

vulnerability	VCID-hsjn-xnpp-5yeh

vulnerability	VCID-jgv9-vdbm-sycd

vulnerability	VCID-jybd-p65h-xffy

vulnerability	VCID-kxdd-yzp3-r7cb

vulnerability	VCID-m33h-4p9q-63fb

vulnerability	VCID-n2v7-jqjy-37bc

vulnerability	VCID-pa7y-gpwp-6qgj

vulnerability	VCID-phkp-9abp-f3dq

vulnerability	VCID-qgp1-4efd-6yg6

vulnerability	VCID-qy1a-x3ff-4bc8

vulnerability	VCID-r1vx-vv7d-gqaj

vulnerability	VCID-rqqc-ta7c-ykgx

vulnerability	VCID-s1rj-1xbw-fbg5

vulnerability	VCID-shch-yusm-1uck

vulnerability	VCID-shjc-2j68-2yfy

vulnerability	VCID-tktt-vg92-6kae

vulnerability	VCID-tuqc-c251-h7ds

vulnerability	VCID-ud73-4t2c-n3at

vulnerability	VCID-vgq9-s6th-yufg

vulnerability	VCID-w777-44ns-cybg

vulnerability	VCID-wa3g-27sx-mbcw

vulnerability	VCID-whgc-pt2s-77ar

vulnerability	VCID-xcmd-18ck-gqae

vulnerability	VCID-ynt9-h6ww-h7e9

vulnerability	VCID-yuda-1mur-8bbq

vulnerability	VCID-z6tf-z1y9-cydq

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2

url pkg:pypi/django@5.1

purl pkg:pypi/django@5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2ft7-rbey-kuhx

vulnerability	VCID-5xtt-au84-zbb2

vulnerability	VCID-7c5n-nzwk-v7bz

vulnerability	VCID-9kvc-1bdz-n3bd

vulnerability	VCID-bb8b-hq41-s7a6

vulnerability	VCID-fcg9-xypn-ykhf

vulnerability	VCID-ga69-9y5g-77c3

vulnerability	VCID-hsjn-xnpp-5yeh

vulnerability	VCID-n2v7-jqjy-37bc

vulnerability	VCID-pa7y-gpwp-6qgj

vulnerability	VCID-qw15-2kq7-wqed

vulnerability	VCID-qy1a-x3ff-4bc8

vulnerability	VCID-ud73-4t2c-n3at

vulnerability	VCID-whgc-pt2s-77ar

vulnerability	VCID-ynt9-h6ww-h7e9

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1

url pkg:pypi/django@5.2

purl pkg:pypi/django@5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4kcg-gx5y-cuaw

vulnerability	VCID-5xtt-au84-zbb2

vulnerability	VCID-7c5n-nzwk-v7bz

vulnerability	VCID-7upw-5p86-8bfr

vulnerability	VCID-9kvc-1bdz-n3bd

vulnerability	VCID-abpe-htm1-9ubp

vulnerability	VCID-bb8b-hq41-s7a6

vulnerability	VCID-eqsc-axng-ckca

vulnerability	VCID-fcg9-xypn-ykhf

vulnerability	VCID-ga69-9y5g-77c3

vulnerability	VCID-ga7z-wj4j-63h1

vulnerability	VCID-jybd-p65h-xffy

vulnerability	VCID-kxdd-yzp3-r7cb

vulnerability	VCID-m4am-h2ea-3ffr

vulnerability	VCID-n2v7-jqjy-37bc

vulnerability	VCID-phkp-9abp-f3dq

vulnerability	VCID-r1vx-vv7d-gqaj

vulnerability	VCID-shch-yusm-1uck

vulnerability	VCID-shjc-2j68-2yfy

vulnerability	VCID-tktt-vg92-6kae

vulnerability	VCID-tuqc-c251-h7ds

vulnerability	VCID-w777-44ns-cybg

vulnerability	VCID-wa3g-27sx-mbcw

vulnerability	VCID-whgc-pt2s-77ar

vulnerability	VCID-ynt9-h6ww-h7e9

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2

References

reference_url	https://docs.djangoproject.com/en/dev/releases/security
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/dev/releases/security

reference_url	https://github.com/django/django
reference_id
reference_type
scores
url	https://github.com/django/django

reference_url	https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e
reference_id
reference_type
scores
url	https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e

reference_url	https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2
reference_id
reference_type
scores
url	https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2

reference_url	https://groups.google.com/g/django-announce
reference_id
reference_type
scores
url	https://groups.google.com/g/django-announce

reference_url	https://www.djangoproject.com/weblog/2025/oct/01/security-releases
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2025/oct/01/security-releases

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2025-59682
reference_id	CVE-2025-59682
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2025-59682

reference_url	https://github.com/advisories/GHSA-q95w-c7qg-hrff
reference_id	GHSA-q95w-c7qg-hrff
reference_type
scores
url	https://github.com/advisories/GHSA-q95w-c7qg-hrff

Weaknesses

cwe_id	23
name	Relative Path Traversal
description	The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n2v7-jqjy-37bc

Vulnerability Instance