Update Django to 5.2.7

[stuntguy3000]

NetBox version

v4.4.2

Feature type

Other

Proposed functionality

https://www.djangoproject.com/weblog/2025/oct/01/security-releases/

I am requesting Django is updated to 5.2.7 to address CVE-2025-59681.

Use case

Addressing upstream security issue. Enterprise environments where package management scanning are used, may alarm/alert/block the current installation of NetBox, due to Django v5.2.6's recently released critical CVE.

Database changes

None

External dependencies

Django v5.2.7

[jnovinger]

Thanks for the report, @stuntguy3000 . Normally, we address dependency updates as part of our release process, not usually as standalone work. The next patch release, v4.4.3, is scheduled to be released on Tuesday (Oct. 14, 2025) and would include Django 5.2.7.

However, you make a good point about enterprise scanning tools flagging the vulnerable Django version. While the vulnerabilities themselves don't affect NetBox (see note below), the alerts can create friction in deployment pipelines and require manual verification/overrides. That said, this may not end up being merged until Tuesday anyway, since all PRs require approval from a maintainer other than the author.

Note: Neither of these particular vulnerabilities do or will affect NetBox. The SQL injection vulnerability only affects MySQL and MariaDB, while NetBox requires and only uses PostgreSQL. The directory-traversal vulnerability requires the use of startapp or startproject, which the project has no need for between now and v4.4.3.

[stuntguy3000]

Thanks for the report, @stuntguy3000 . Normally, we address dependency updates as part of our release process, not usually as standalone work. The next patch release, v4.4.3, is scheduled to be released on Tuesday (Oct. 14, 2025) and would include Django 5.2.7.

However, you make a good point about enterprise scanning tools flagging the vulnerable Django version. While the vulnerabilities themselves don't affect NetBox (see note below), the alerts can create friction in deployment pipelines and require manual verification/overrides. That said, this may not end up being merged until Tuesday anyway, since all PRs require approval from a maintainer other than the author.

Note: Neither of these particular vulnerabilities do or will affect NetBox. The SQL injection vulnerability only affects MySQL and MariaDB, while NetBox requires and only uses PostgreSQL. The directory-traversal vulnerability requires the use of startapp or startproject, which the project has no need for between now and v4.4.3.

Not a worry, appreciate the quick response! Manually changing the version in the requirements file is a good workaround, until the next release.

[jnovinger]

This shipped in v4.4.3 today: https://github.com/netbox-community/netbox/releases/tag/v4.4.3