CVE-2025-66221
BaseFortify
Publication date: 2025-11-29
Last updated on: 2025-12-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palletsprojects | werkzeug | to 3.1.4 (exc) |
| microsoft | windows | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-67 | The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Werkzeug's safe_join function prior to version 3.1.4. On Windows systems, safe_join allows path segments that include special device names like CON or AUX. When an application running on Windows uses send_from_directory with a path ending in such a device name, the file opens successfully but reading from it causes the process to hang indefinitely. This is due to the way Windows handles these special device names.
How can this vulnerability impact me? :
If you run a web application on Windows using Werkzeug versions before 3.1.4, an attacker could craft requests with paths ending in special Windows device names. This would cause the server to hang indefinitely when trying to read the file, potentially leading to denial of service by exhausting resources or making the application unresponsive.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Werkzeug to version 3.1.4 or later, as this version contains the patch that fixes the safe_join function issue causing the vulnerability.