Search for packages
| purl | pkg:pypi/werkzeug@3.0.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3mxv-vxtj-8kde
Aliases: CVE-2026-21860 GHSA-87hc-h4r5-73f7 |
Werkzeug safe_join() allows Windows special device names with compound extensions Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. |
Affected by 1 other vulnerability. |
|
VCID-6cpm-rdw8-7fh6
Aliases: CVE-2025-66221 GHSA-hgf8-39gv-g3f2 |
Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. |
Affected by 2 other vulnerabilities. |
|
VCID-jxz2-8tqb-mbeg
Aliases: CVE-2026-27199 GHSA-29vq-49wr-vm6x |
Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-19qx-5d4g-pfdn | Werkzeug safe_join not safe on Windows On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. |
CVE-2024-49766
GHSA-f9vj-2wh5-fj8j |
| VCID-myg8-m4rh-ruae | Werkzeug possible resource exhaustion when parsing file data in forms Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting. The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application. |
CVE-2024-49767
GHSA-q34m-jh98-gwm2 |