An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the `django.core.files.storage.Storage` base class, when they override `generate_filename()` without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a `save()` call. (Built-in Storage sub-classes are unaffected.)

Affected Packages

PyPI Django

Affected versions: 5.0 (fixed in 5.0.7)

PyPI Django

Affected versions: 4.2 (fixed in 4.2.14)

Related CVEs

CVE-2024-39330

Key Information

GHSA ID

GHSA-9jmf-237g-qf46

Published

July 10, 2024 6:33 AM

Last Modified

July 10, 2024 9:41 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

Django

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 9, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.