CVE-2025-59682: 
Django Análise e mitigação de vulnerabilidades

CVE-2025-59682 affects Django versions 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The vulnerability was discovered and disclosed on October 1, 2025. The issue exists in the django.utils.archive.extract() function, which is used by the 'startapp --template' and 'startproject --template' commands (Django Security).

The vulnerability allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. The issue has been assigned a CVSS v3.1 base score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-23 (Relative Path Traversal) (NVD).

If exploited, this vulnerability could allow an attacker to obtain sensitive information through partial directory traversal. The impact is considered 'low' according to the Django security policy (Django Security, Ubuntu Security).

The issue has been fixed in Django versions 5.2.7, 5.1.13, and 4.2.25. Users are encouraged to upgrade to these versions as soon as possible. Patches have been applied to Django's main, 6.0 (alpha), 5.2, 5.1, and 4.2 branches (Django Security).

The vulnerability was reported by security researcher 'stackered' and was handled according to Django's security release policy. The Django team classified this as a 'low' severity issue (Django Security).