Critical Security Alert: django-storages 1.13.1 Contains 37 Vulnerabilities, Including a 9.8 CVSS Score Flaw

A critical security audit of the popular Python package django-storages has revealed a severe vulnerability landscape. The specific version 1.13.1, distributed as a wheel file, contains 37 distinct vulnerabilities. The most severe of these carries a maximum CVSS score of 9.8, classified as critical, indicating a flaw that is remotely exploitable with a high impact on confidentiality, integrity, and availability. This places any application relying on this version at immediate and significant risk.

The primary critical vulnerability, tracked as WS-2022-0365, originates in a transitive dependency: `cryptography-37.0.4`. This flaw is not directly in django-storages' code but is inherited from this widely-used cryptographic library, which is a core component for secure data handling. The vulnerability is fixed in django-storages version 1.13.2, but the remediation path for the affected 1.13.1 version is marked as not possible, forcing a mandatory upgrade. The presence of so many vulnerabilities in a single release points to a potentially outdated or unpatched dependency tree being bundled and distributed.

This discovery has major implications for the Python and Django ecosystem. django-storages is a fundamental library for integrating cloud storage backends like Amazon S3, Google Cloud Storage, and Azure into Django applications. Thousands of web applications handling user uploads, media files, and static assets are likely impacted. Developers and security teams must urgently audit their dependency manifests, identify any instances of django-storages 1.13.1, and plan an immediate upgrade to a patched version to mitigate the risk of potential remote code execution or data compromise stemming from these cryptographic and other security weaknesses.