CVE-2026-25674
Race Condition in Django File-System Storage Causes Permission Issues
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: Django Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| djangoproject | django | From 4.2.0 (inc) to 4.2.29 (exc) |
| djangoproject | django | From 5.2 (inc) to 5.2.12 (exc) |
| djangoproject | django | From 6.0 (inc) to 6.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability is a race condition in Django's file-system storage and file-based cache backends that causes file system objects to be created with incorrect permissions."}, {'type': 'paragraph', 'content': 'The issue arises because these backends relied on the process-wide umask setting to control permissions when creating directories. In multi-threaded environments, a temporary umask change in one thread could affect other threads, leading to unintended permissions on files and directories.'}, {'type': 'paragraph', 'content': 'Django fixed this by explicitly applying the requested permissions using os.chmod() immediately after creating directories, removing the dependency on the process-wide umask and ensuring consistent permissions regardless of threading.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to files and directories being created with incorrect or unintended permissions in a Django application running in a multi-threaded environment.
Incorrect permissions may expose sensitive files to unauthorized users or processes, potentially leading to information disclosure or unauthorized modification.
Although the severity is classified as low, the impact depends on the sensitivity of the data stored and the environment in which Django is deployed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a race condition causing file system objects to be created with incorrect permissions due to concurrent requests affecting the process-wide umask in multi-threaded environments.'}, {'type': 'paragraph', 'content': "Detection would involve checking for files or directories created by Django's file-system storage or file-based cache backends that have permissions inconsistent with the intended settings."}, {'type': 'paragraph', 'content': "Since the issue is related to incorrect permissions on newly created files or directories, you can inspect the permissions of these objects in your Django application's storage or cache directories."}, {'type': 'list_item', 'content': 'Use commands like `ls -l` or `stat` on the relevant directories to identify files or directories with unexpected permission bits.'}, {'type': 'list_item', 'content': 'Monitor your application logs for any warnings or errors related to file permission issues.'}, {'type': 'list_item', 'content': 'Consider running tests that simulate concurrent requests to see if file permissions are set incorrectly.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Django to a version where this issue is fixed.
- Upgrade to Django 6.0.3 or later, 5.2.12 or later, or 4.2.29 or later, as these versions include the fix that explicitly applies correct permissions using os.chmod() after directory creation.
- If upgrading immediately is not possible, restrict access to the affected file-system storage and cache directories to trusted users only.
- Avoid running Django in multi-threaded environments where concurrent requests might trigger this race condition until the fix is applied.