Django App Vulnerabilities Chained to Execute Arbitrary Code Remotely

A critical remote code execution (RCE) vulnerability affecting Django web applications, demonstrating how seemingly benign CSV file upload functionality can be weaponized for complete server compromise. 

Summary
1. Django RCE exploit chains directory traversal with CSV parser abuse to compromise servers through file uploads.
2. Attackers use unsanitized username input (../../../../../../app/backend/backend/) to target Django's wsgi.py file.
3. Malicious Python code embedded in CSV comments survives pandas processing and auto-executes when Django reloads wsgi.py.
4. Successful exploitation grants full remote code execution and potential infrastructure infiltration.

The exploit, published on June 30, 2025, chains directory traversal with pandas CSV parser abuse to overwrite Django’s wsgi.py file and achieve arbitrary code execution.

Django App Remote Code Execution via CSV Upload

During a bug bounty engagement, security researcher Jineesh AK revealed a vulnerability in a Django application that lets users submit CSV files for processing. 

The application’s vulnerable endpoint used pandas to parse uploaded CSV files and save processed results to disk based on user-controlled input.

The critical flaw emerged from the application’s trust in user-supplied data without proper sanitization. The vulnerable code segment shows how the username parameter was directly incorporated into filesystem paths:

This design allowed attackers to manipulate the file write location using directory traversal sequences like ../../../../../../app/backend/backend/, effectively bypassing intended access controls and targeting sensitive system files.

The researcher’s exploitation technique involved crafting a malicious CSV payload that would survive pandas’ read_csv() and to_csv() processing cycle while remaining valid Python code. 

The key innovation was embedding the malicious payload within Python comments, ensuring that additional commas and formatting introduced by pandas would be ignored by the Python interpreter.

The payload demonstrated sophisticated understanding of both CSV parsing behavior and Python syntax:

The target file, wsgi.py, was strategically chosen because Django’s development server automatically reloads this Web Server Gateway Interface file when modified, triggering immediate code execution without requiring manual intervention.

This vulnerability demonstrates the dangerous potential of chaining multiple seemingly minor security flaws into critical exploits. 

The attack vector highlights several concerning practices: unsanitized user input in filesystem operations, unsafe file processing with third-party libraries, and Django’s auto-reloading behavior in development environments.

The exploit grants attackers complete server-side code execution capabilities, potentially leading to data theft, system compromise, and lateral movement within targeted infrastructure. 

Organizations using Django applications with file upload functionality should immediately audit their code for similar patterns, implement proper input validation, and consider sandboxing file processing operations to prevent such exploitation chains.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now