[5.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract().

Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-09-16 17:13:36 +0200
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-10-01 08:25:20 -0400
commit: ed8fc39d77465eddbde1191a054ae965f6a8a584 (patch)
tree: 876ee5a8ae2368375517969343a91711a51f214f /docs
parent: 52fbae0a4dbbe5faa59827f8f05694a0065cc135 (diff)
3 files changed, 24 insertions, 0 deletions
diff --git a/docs/releases/4.2.25.txt b/docs/releases/4.2.25.txt
index 5412777055..7ba23c0132 100644
--- a/docs/releases/4.2.25.txt
+++ b/docs/releases/4.2.25.txt
@@ -15,3 +15,11 @@ CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``,
 to SQL injection in column aliases, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
 :cve:`2022-28346`).
+
+CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()``
+===============================================================================
+
+The ``django.utils.archive.extract()`` function, used by
+:option:`startapp --template` and :option:`startproject --template`, allowed
+partial directory-traversal via an archive with file paths sharing a common
+prefix with the target directory (follow up to :cve:`2021-3281`).
diff --git a/docs/releases/5.1.13.txt b/docs/releases/5.1.13.txt
index 96b81c0102..7b9b5c8d39 100644
--- a/docs/releases/5.1.13.txt
+++ b/docs/releases/5.1.13.txt
@@ -15,3 +15,11 @@ CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``,
 to SQL injection in column aliases, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
 :cve:`2022-28346`).
+
+CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()``
+===============================================================================
+
+The ``django.utils.archive.extract()`` function, used by
+:option:`startapp --template` and :option:`startproject --template`, allowed
+partial directory-traversal via an archive with file paths sharing a common
+prefix with the target directory (follow up to :cve:`2021-3281`).
diff --git a/docs/releases/5.2.7.txt b/docs/releases/5.2.7.txt
index 05d03a991e..b8c27d1de2 100644
--- a/docs/releases/5.2.7.txt
+++ b/docs/releases/5.2.7.txt
@@ -17,6 +17,14 @@ to SQL injection in column aliases, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
 :cve:`2022-28346`).
 
+CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()``
+===============================================================================
+
+The ``django.utils.archive.extract()`` function, used by
+:option:`startapp --template` and :option:`startproject --template`, allowed
+partial directory-traversal via an archive with file paths sharing a common
+prefix with the target directory (follow up to :cve:`2021-3281`).
+
 Bugfixes
 ========
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-09-16 17:13:36 +0200
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-10-01 08:25:20 -0400
commit	ed8fc39d77465eddbde1191a054ae965f6a8a584 (patch)
tree	876ee5a8ae2368375517969343a91711a51f214f /docs
parent	52fbae0a4dbbe5faa59827f8f05694a0065cc135 (diff)