Python/werkzeug/3.1.4
The comprehensive WSGI web application library.
https://pypi.org/project/werkzeug
UNKNOWN
1 Security Vulnerabilities
Werkzeug safe_join() allows Windows special device names
- https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x
- https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d
- https://github.com/pallets/werkzeug/releases/tag/3.1.6
- https://github.com/advisories/GHSA-29vq-49wr-vm6x
- https://nvd.nist.gov/vuln/detail/CVE-2026-27199
Werkzeug's safe_join function allows Windows device names as filenames if when preceded by other path segments.
This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL.
send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
106 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.4.1 | BSD | 7 | 2009-01-11 - 10:45 | over 17 years |
| 0.4 | BSD | 7 | 2008-11-23 - 14:49 | over 17 years |
| 0.3.1 | BSD | 7 | 2008-06-24 - 15:27 | almost 18 years |
| 0.3 | BSD | 7 | 2008-06-14 - 16:21 | almost 18 years |
| 0.2 | BSD | 7 | 2008-02-13 - 22:39 | about 18 years |
| 0.1 | BSD | 7 | 2007-12-09 - 18:32 | over 18 years |