Skip to content

[Snyk - Medium] Update django@5.2.13 (10 July 2026) #2034

Description

@exalate-issue-sync

Improper Handling of Length Parameter Inconsistency

CWE-130 | CVE-2026-5766 | CVSS 6.3

Detailed paths and remediation

  • Introduced through: root@0.0.0 › django@5.2.13

    Fix: Upgrade django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

Overview

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency in the handling of ASGI requests when the Content-Length header is missing or understated. An attacker can cause excessive memory usage and degrade service availability by uploading large files that bypass configured upload limits.L

Use of Cache Containing Sensitive Information

CWE-524 | CVE-2026-6907 | CVSS 2.3

Detailed paths and remediation

  • Introduced through: root@0.0.0 › django@5.2.13

    Fix: Upgrade django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

Overview

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the UpdateCacheMiddleware middleware. An attacker can access private data belonging to other users by exploiting incorrect handling of the Vary: * header, which causes improper caching of responses.

Use of Persistent Cookies Containing Sensitive Information

CWE-539 | CVE-2026-35192 | CVSS 2.3

Detailed paths and remediation

  • Introduced through: root@0.0.0 › django@5.2.13

    Fix: Upgrade django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

  • Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13

    Fix: Pin django to version 5.2.14 or 6.0.5

Overview

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Use of Persistent Cookies Containing Sensitive Information in the SESSION_SAVE_EVERY_REQUEST. An attacker can hijack a user's session by exploiting public cached pages that do not vary response headers on cookies if the session is not modified and SESSION_SAVE_EVERY_REQUEST=True.

Fix:

Upgrading to django@5.2.14 fixes all 3 issues.

We will upgrade to django 6 in a later ticket

QA Notes

null

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-3125

Pull Request: #2054

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions