6.5
CVE-2025-59682
- EPSS 0.02%
- Veröffentlicht 01.10.2025 19:15:37
- Zuletzt bearbeitet 04.11.2025 22:16:35
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Djangoproject ≫ Django Version >= 4.2.0 < 4.2.25
Djangoproject ≫ Django Version >= 5.1 < 5.1.13
Djangoproject ≫ Django Version >= 5.2 < 5.2.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.061 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| cve@mitre.org | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
|
CWE-23 Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.