## Django Security Patch Auto-Closed: Critical CVE-2024-45231 & CVE-2022-36359 Remain Unaddressed
A critical automated dependency update for the Django web framework has been automatically closed without being merged, leaving a major security vulnerability unpatched. The pull request, which sought to upgrade Django from the outdated version 3.1.14 to the secure version 4.2.26, was marked as autoclosed. This action effectively blocks the fix for CVE-2024-45231, a newly disclosed vulnerability, and fails to address the older but still relevant CVE-2022-36359, a reflected file download (RFD) attack vector.

The update was managed by the RenovateBot dependency automation tool, which flagged the change as a high-confidence, necessary security patch. The specific vulnerabilities are severe: CVE-2022-36359, present in Django 3.2 before 3.2.15 and 4.0 before 4.0.7, allows for RFD attacks when user-supplied input controls the filename in a FileResponse. The newer CVE-2024-45231's details are still emerging, but its inclusion underscores the active threat landscape. The project remains stuck on Django 3.1.14, a version that is multiple major releases behind and does not contain these critical security fixes.

This autoclosure creates a direct and immediate security exposure for any application relying on this codebase. It signals a potential breakdown in the software supply chain security process, where automated security alerts are generated but not acted upon. The failure to merge this patch leaves the application open to exploitation, raising significant operational risk. For development teams, this incident serves as a stark warning about the dangers of over-relying on automation without robust review and merge protocols, especially for security-critical dependencies.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, dependency_management, CVE, supply_chain
- **Credibility**: unverified
- **Published**: 2026-03-27 02:26:59
- **ID**: 36577
- **URL**: https://whisperx.ai/en/intel/36577