CVE-2025-66221
EPSS 0.03%Werkzeug safe_join() allows Windows special device names
Published: 12/2/2025Modified: 2/4/2026
Description
Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
Affected packages (1)
- PyPI/werkzeugfrom 0, < 3.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-66221
- PATCHhttps://github.com/pallets/werkzeug
- WEBhttps://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13
- WEBhttps://github.com/pallets/werkzeug/releases/tag/3.1.4
- WEBhttps://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2