Skip to content

Commit 5447a5d

Browse files
renovate-sh-app[bot]renovate-sh-app[bot]
authored
chore(deps): update dependency django to v4.2.25 [security] (#5578)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [django](https://redirect.github.com/django/django) ([changelog](https://docs.djangoproject.com/en/stable/releases/)) | `==4.2.24` -> `==4.2.25` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/django/4.2.25?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/django/4.2.24/4.2.25?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2025-59681](https://nvd.nist.gov/vuln/detail/CVE-2025-59681) An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). #### [CVE-2025-59682](https://nvd.nist.gov/vuln/detail/CVE-2025-59682) An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. --- ### Django vulnerable to SQL injection in column aliases BIT-django-2025-59681 / [CVE-2025-59681](https://nvd.nist.gov/vuln/detail/CVE-2025-59681) / [GHSA-hpr9-3m2g-3j9p](https://redirect.github.com/advisories/GHSA-hpr9-3m2g-3j9p) <details> <summary>More information</summary> #### Details An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). #### Severity - CVSS Score: 7.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-59681](https://nvd.nist.gov/vuln/detail/CVE-2025-59681) - [https://github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a](https://redirect.github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a) - [https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e](https://redirect.github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e) - [https://docs.djangoproject.com/en/dev/releases/security](https://docs.djangoproject.com/en/dev/releases/security) - [https://github.com/django/django](https://redirect.github.com/django/django) - [https://groups.google.com/g/django-announce](https://groups.google.com/g/django-announce) - [https://www.djangoproject.com/weblog/2025/oct/01/security-releases](https://www.djangoproject.com/weblog/2025/oct/01/security-releases) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-hpr9-3m2g-3j9p) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Django vulnerable to partial directory traversal via archives BIT-django-2025-59682 / [CVE-2025-59682](https://nvd.nist.gov/vuln/detail/CVE-2025-59682) / [GHSA-q95w-c7qg-hrff](https://redirect.github.com/advisories/GHSA-q95w-c7qg-hrff) <details> <summary>More information</summary> #### Details An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. #### Severity - CVSS Score: 3.1 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-59682](https://nvd.nist.gov/vuln/detail/CVE-2025-59682) - [https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e](https://redirect.github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e) - [https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2](https://redirect.github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2) - [https://docs.djangoproject.com/en/dev/releases/security](https://docs.djangoproject.com/en/dev/releases/security) - [https://github.com/django/django](https://redirect.github.com/django/django) - [https://groups.google.com/g/django-announce](https://groups.google.com/g/django-announce) - [https://www.djangoproject.com/weblog/2025/oct/01/security-releases](https://www.djangoproject.com/weblog/2025/oct/01/security-releases) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-q95w-c7qg-hrff) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>django/django (django)</summary> ### [`v4.2.25`](https://redirect.github.com/django/django/compare/4.2.24...4.2.25) [Compare Source](https://redirect.github.com/django/django/compare/4.2.24...4.2.25) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzguNSIsInVwZGF0ZWRJblZlciI6IjQxLjEzOC41IiwidGFyZ2V0QnJhbmNoIjoiZGV2IiwibGFiZWxzIjpbImF1dG9tZXJnZS1zZWN1cml0eS11cGRhdGUiLCJzZXZlcml0eTpISUdIIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
1 parent daa9012 commit 5447a5d

File tree

2 files changed

+2
-2
lines changed

2 files changed

+2
-2
lines changed

engine/requirements-dev.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ charset-normalizer==3.4.2
1818
# requests
1919
distlib==0.3.9
2020
# via virtualenv
21-
django==4.2.24
21+
django==4.2.25
2222
# via
2323
# -c requirements.txt
2424
# django-stubs

engine/requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ deprecated==1.2.18
7777
# opentelemetry-api
7878
# opentelemetry-exporter-otlp-proto-grpc
7979
# opentelemetry-semantic-conventions
80-
django==4.2.24
80+
django==4.2.25
8181
# via
8282
# -r requirements.in
8383
# django-add-default-value

0 commit comments

Comments
 (0)