CVE-2024-39330 – This vulnerability allows directory traversal a... (How to Fix)

Q: What is the severity of CVE-2024-39330?

CVE-2024-39330 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows directory traversal attacks in Django applications that use custom Storage subclasses. Attackers can potentially read or write files outside intended directories by manipulating file paths during save operations. Only Django applications with custom Storage classes that override generate_filename() without proper validation are affected.

📋 TL;DR

This vulnerability allows directory traversal attacks in Django applications that use custom Storage subclasses. Attackers can potentially read or write files outside intended directories by manipulating file paths during save operations. Only Django applications with custom Storage classes that override generate_filename() without proper validation are affected.

💻 Affected Systems

Products:

Django

Versions: Django 5.0.0 to 5.0.6, Django 4.2.0 to 4.2.13

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects custom Storage subclasses that override generate_filename() without proper validation. Built-in Django Storage classes are not vulnerable.

📦 What is this software?

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary file read/write leading to sensitive data exposure, file deletion, or remote code execution if writable directories contain executable files.

🟠

Likely Case

Unauthorized file access or modification within the application's directory structure, potentially exposing configuration files or user uploads.

🟢

If Mitigated

Limited impact with proper file system permissions and input validation in place.

🌐 Internet-Facing: MEDIUM - Exploitable via file upload functionality exposed to users, but requires specific custom Storage implementation.

🏢 Internal Only: LOW - Requires authenticated access and specific custom Storage implementation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires knowledge of custom Storage implementation and ability to trigger file save operations with controlled input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 5.0.7 or 4.2.14

Vendor Advisory: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

Restart Required: No

Instructions:

1. Update Django using pip: 'pip install Django==5.0.7' or 'pip install Django==4.2.14'. 2. Verify update with 'python -m django --version'. 3. Test application functionality.

🔧 Temporary Workarounds

Add path validation to custom Storage classes

all

Ensure custom Storage subclasses properly validate file paths in generate_filename() method

Review and modify custom Storage classes to include path validation similar to Django's built-in Storage.generate_filename()

🧯 If You Can't Patch

Review all custom Storage subclasses and ensure they properly validate file paths
Implement additional file path sanitization before passing to Storage methods

🔍 How to Verify

Check if Vulnerable:

Check Django version and review custom Storage classes for generate_filename() overrides without proper path validation

Check Version:

python -m django --version

Verify Fix Applied:

Verify Django version is 5.0.7+ or 4.2.14+ and test file operations with malicious path inputs

📡 Detection & Monitoring

Log Indicators:

Unusual file path patterns in file operations
Failed file access attempts outside expected directories

Network Indicators:

File upload requests containing path traversal sequences (../)

SIEM Query:

search 'file_path contains ../' OR 'directory_traversal' in application logs

📊 Metadata

CVE ID: CVE-2024-39330

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

Published: July 10, 2024

Last Updated: November 4, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce Permissions Required
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ Vendor Advisory
https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce Permissions Required
https://security.netapp.com/advisory/ntap-20240808-0005/
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39330, you might also want to check these: