CVE-2025-59682: 
Django vulnerability analysis and mitigation

CVE-2025-59682 was discovered and disclosed on October 1, 2025. This vulnerability affects Django versions 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The vulnerability exists in the django.utils.archive.extract() function, which is used by the 'startapp --template' and 'startproject --template' commands (Django Security).

The vulnerability allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. The issue has been classified with a CVSS v3.1 Base Score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is categorized as CWE-23: Relative Path Traversal (NVD).

The vulnerability could allow attackers to perform partial directory traversal attacks when using the template functionality in Django's startapp and startproject commands. This could potentially lead to file overwrite capabilities within the target directory structure (Django Security).

The issue has been fixed in Django versions 5.2.7, 5.1.13, and 4.2.25. Users are strongly encouraged to upgrade to these patched versions. The fixes have been applied to Django's main branch, 6.0 (alpha status), 5.2, 5.1, and 4.2 branches (Django Security).

The Django security team has classified this vulnerability as 'low' severity according to their security policy. The vulnerability was responsibly disclosed and reported by security researcher 'stackered' (Django Security).