From 924a0c092e65fa2d0953fd1855d2dc8786d94de2 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Tue, 16 Sep 2025 17:13:36 +0200 Subject: Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. --- docs/releases/5.2.7.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs/releases/5.2.7.txt') diff --git a/docs/releases/5.2.7.txt b/docs/releases/5.2.7.txt index 05d03a991e..b8c27d1de2 100644 --- a/docs/releases/5.2.7.txt +++ b/docs/releases/5.2.7.txt @@ -17,6 +17,14 @@ to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to :cve:`2022-28346`). +CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()`` +=============================================================================== + +The ``django.utils.archive.extract()`` function, used by +:option:`startapp --template` and :option:`startproject --template`, allowed +partial directory-traversal via an archive with file paths sharing a common +prefix with the target directory (follow up to :cve:`2021-3281`). + Bugfixes ======== -- cgit v1.3