Skip to content

chore(deps): update dependency django to v4.2.25 [security] #5578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

chore(deps): update dependency django to v4.2.25 [security] #5578

wants to merge 1 commit into from
+2 −2

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Oct 17, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
django (changelog) ==4.2.24 -> ==4.2.25 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-59681

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

CVE-2025-59682

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Django vulnerable to SQL injection in column aliases

BIT-django-2025-59681 / CVE-2025-59681 / GHSA-hpr9-3m2g-3j9p

More information

Details

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Django vulnerable to partial directory traversal via archives

BIT-django-2025-59682 / CVE-2025-59682 / GHSA-q95w-c7qg-hrff

More information

Details

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Severity

  • CVSS Score: 3.1 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

django/django (django)

v4.2.25

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner October 17, 2025 09:15
@renovate-sh-app renovate-sh-app bot enabled auto-merge October 17, 2025 09:15
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pypi-django-vulnerability branch from 7675a0d to b068b9f Compare October 24, 2025 15:30
@renovate-sh-app
chore(deps): update dependency django to v4.2.25 [security]
338601a 
| datasource | package | from   | to     |
| ---------- | ------- | ------ | ------ |
| pypi       | django  | 4.2.24 | 4.2.25 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pypi-django-vulnerability branch from b068b9f to 338601a Compare October 24, 2025 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olegbespalov olegbespalov olegbespalov approved these changes

@mderynck mderynck Awaiting requested review from mderynck mderynck is a code owner automatically assigned from grafana/grafana-irm-backend

Assignees

No one assigned

Labels

automerge-security-update severity:HIGH

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CLAassistant @olegbespalov