{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47923?format=json","vulnerability_id":"VCID-n2v7-jqjy-37bc","summary":"Django vulnerable to partial directory traversal via archives\nAn issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the \"startapp --template\" and \"startproject --template\" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.","aliases":[{"alias":"CVE-2025-59682"},{"alias":"GHSA-q95w-c7qg-hrff"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46371?format=json","purl":"pkg:pypi/django@4.2.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4kcg-gx5y-cuaw"},{"vulnerability":"VCID-7c5n-nzwk-v7bz"},{"vulnerability":"VCID-fcg9-xypn-ykhf"},{"vulnerability":"VCID-ga69-9y5g-77c3"},{"vulnerability":"VCID-ga7z-wj4j-63h1"},{"vulnerability":"VCID-jybd-p65h-xffy"},{"vulnerability":"VCID-kxdd-yzp3-r7cb"},{"vulnerability":"VCID-phkp-9abp-f3dq"},{"vulnerability":"VCID-r1vx-vv7d-gqaj"},{"vulnerability":"VCID-shch-yusm-1uck"},{"vulnerability":"VCID-shjc-2j68-2yfy"},{"vulnerability":"VCID-tktt-vg92-6kae"},{"vulnerability":"VCID-tuqc-c251-h7ds"},{"vulnerability":"VCID-wa3g-27sx-mbcw"},{"vulnerability":"VCID-whgc-pt2s-77ar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.25"},{"url":"http://public2.vulnerablecode.io/api/packages/46372?format=json","purl":"pkg:pypi/django@5.1.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7c5n-nzwk-v7bz"},{"vulnerability":"VCID-fcg9-xypn-ykhf"},{"vulnerability":"VCID-ga69-9y5g-77c3"},{"vulnerability":"VCID-whgc-pt2s-77ar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/46373?format=json","purl":"pkg:pypi/django@5.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4kcg-gx5y-cuaw"},{"vulnerability":"VCID-7c5n-nzwk-v7bz"},{"vulnerability":"VCID-abpe-htm1-9ubp"},{"vulnerability":"VCID-eqsc-axng-ckca"},{"vulnerability":"VCID-fcg9-xypn-ykhf"},{"vulnerability":"VCID-ga69-9y5g-77c3"},{"vulnerability":"VCID-ga7z-wj4j-63h1"},{"vulnerability":"VCID-jybd-p65h-xffy"},{"vulnerability":"VCID-kxdd-yzp3-r7cb"},{"vulnerability":"VCID-m4am-h2ea-3ffr"},{"vulnerability":"VCID-phkp-9abp-f3dq"},{"vulnerability":"VCID-r1vx-vv7d-gqaj"},{"vulnerability":"VCID-shch-yusm-1uck"},{"vulnerability":"VCID-shjc-2j68-2yfy"},{"vulnerability":"VCID-tktt-vg92-6kae"},{"vulnerability":"VCID-tuqc-c251-h7ds"},{"vulnerability":"VCID-wa3g-27sx-mbcw"},{"vulnerability":"VCID-whgc-pt2s-77ar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.7"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33541?format=json","purl":"pkg:pypi/django@4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ft7-rbey-kuhx"},{"vulnerability":"VCID-4kcg-gx5y-cuaw"},{"vulnerability":"VCID-5xtt-au84-zbb2"},{"vulnerability":"VCID-7c5n-nzwk-v7bz"},{"vulnerability":"VCID-7upw-5p86-8bfr"},{"vulnerability":"VCID-9gq3-whr8-s7b8"},{"vulnerability":"VCID-9kvc-1bdz-n3bd"},{"vulnerability":"VCID-am3f-c5ex-8ff2"},{"vulnerability":"VCID-bb8b-hq41-s7a6"},{"vulnerability":"VCID-e12b-tw2c-53c9"},{"vulnerability":"VCID-e8j6-mybr-17fh"},{"vulnerability":"VCID-f4a7-tcz5-byfj"},{"vulnerability":"VCID-fcg9-xypn-ykhf"},{"vulnerability":"VCID-fsaw-3ta1-x3dw"},{"vulnerability":"VCID-ga69-9y5g-77c3"},{"vulnerability":"VCID-ga7z-wj4j-63h1"},{"vulnerability":"VCID-hsjn-xnpp-5yeh"},{"vulnerability":"VCID-jgv9-vdbm-sycd"},{"vulnerability":"VCID-jybd-p65h-xffy"},{"vulnerability":"VCID-kxdd-yzp3-r7cb"},{"vulnerability":"VCID-m33h-4p9q-63fb"},{"vulnerability":"VCID-n2v7-jqjy-37bc"},{"vulnerability":"VCID-pa7y-gpwp-6qgj"},{"vulnerability":"VCID-phkp-9abp-f3dq"},{"vulnerability":"VCID-qgp1-4efd-6yg6"},{"vulnerability":"VCID-qy1a-x3ff-4bc8"},{"vulnerability":"VCID-r1vx-vv7d-gqaj"},{"vulnerability":"VCID-rqqc-ta7c-ykgx"},{"vulnerability":"VCID-s1rj-1xbw-fbg5"},{"vulnerability":"VCID-shch-yusm-1uck"},{"vulnerability":"VCID-shjc-2j68-2yfy"},{"vulnerability":"VCID-tktt-vg92-6kae"},{"vulnerability":"VCID-tuqc-c251-h7ds"},{"vulnerability":"VCID-ud73-4t2c-n3at"},{"vulnerability":"VCID-vgq9-s6th-yufg"},{"vulnerability":"VCID-w777-44ns-cybg"},{"vulnerability":"VCID-wa3g-27sx-mbcw"},{"vulnerability":"VCID-whgc-pt2s-77ar"},{"vulnerability":"VCID-xcmd-18ck-gqae"},{"vulnerability":"VCID-ynt9-h6ww-h7e9"},{"vulnerability":"VCID-yuda-1mur-8bbq"},{"vulnerability":"VCID-z6tf-z1y9-cydq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/43560?format=json","purl":"pkg:pypi/django@5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ft7-rbey-kuhx"},{"vulnerability":"VCID-5xtt-au84-zbb2"},{"vulnerability":"VCID-7c5n-nzwk-v7bz"},{"vulnerability":"VCID-9kvc-1bdz-n3bd"},{"vulnerability":"VCID-bb8b-hq41-s7a6"},{"vulnerability":"VCID-fcg9-xypn-ykhf"},{"vulnerability":"VCID-ga69-9y5g-77c3"},{"vulnerability":"VCID-hsjn-xnpp-5yeh"},{"vulnerability":"VCID-n2v7-jqjy-37bc"},{"vulnerability":"VCID-pa7y-gpwp-6qgj"},{"vulnerability":"VCID-qw15-2kq7-wqed"},{"vulnerability":"VCID-qy1a-x3ff-4bc8"},{"vulnerability":"VCID-ud73-4t2c-n3at"},{"vulnerability":"VCID-whgc-pt2s-77ar"},{"vulnerability":"VCID-ynt9-h6ww-h7e9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/45038?format=json","purl":"pkg:pypi/django@5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4kcg-gx5y-cuaw"},{"vulnerability":"VCID-5xtt-au84-zbb2"},{"vulnerability":"VCID-7c5n-nzwk-v7bz"},{"vulnerability":"VCID-7upw-5p86-8bfr"},{"vulnerability":"VCID-9kvc-1bdz-n3bd"},{"vulnerability":"VCID-abpe-htm1-9ubp"},{"vulnerability":"VCID-bb8b-hq41-s7a6"},{"vulnerability":"VCID-eqsc-axng-ckca"},{"vulnerability":"VCID-fcg9-xypn-ykhf"},{"vulnerability":"VCID-ga69-9y5g-77c3"},{"vulnerability":"VCID-ga7z-wj4j-63h1"},{"vulnerability":"VCID-jybd-p65h-xffy"},{"vulnerability":"VCID-kxdd-yzp3-r7cb"},{"vulnerability":"VCID-m4am-h2ea-3ffr"},{"vulnerability":"VCID-n2v7-jqjy-37bc"},{"vulnerability":"VCID-phkp-9abp-f3dq"},{"vulnerability":"VCID-r1vx-vv7d-gqaj"},{"vulnerability":"VCID-shch-yusm-1uck"},{"vulnerability":"VCID-shjc-2j68-2yfy"},{"vulnerability":"VCID-tktt-vg92-6kae"},{"vulnerability":"VCID-tuqc-c251-h7ds"},{"vulnerability":"VCID-w777-44ns-cybg"},{"vulnerability":"VCID-wa3g-27sx-mbcw"},{"vulnerability":"VCID-whgc-pt2s-77ar"},{"vulnerability":"VCID-ynt9-h6ww-h7e9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2"}],"references":[{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e"},{"reference_url":"https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2025/oct/01/security-releases","reference_id":"","reference_type":"","scores":[],"url":"https://www.djangoproject.com/weblog/2025/oct/01/security-releases"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59682","reference_id":"CVE-2025-59682","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59682"},{"reference_url":"https://github.com/advisories/GHSA-q95w-c7qg-hrff","reference_id":"GHSA-q95w-c7qg-hrff","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q95w-c7qg-hrff"}],"weaknesses":[{"cwe_id":23,"name":"Relative Path Traversal","description":"The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n2v7-jqjy-37bc"}