CVE-2026-21860
Path Traversal in Werkzeug safe_join Allows Windows Device Access
Publication date: 2026-01-08
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pallets | werkzeug | to 3.1.5 (exc) |
| palletsprojects | werkzeug | to 3.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-67 | The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Werkzeug's safe_join function on Windows allows path segments to include special device names (like CON, AUX) with file extensions or trailing spaces. Windows treats these device names specially and allows access to them in any directory, which can be exploited to bypass path safety checks. Prior to version 3.1.5, safe_join did not fully prevent such usage, potentially allowing malicious paths to access or manipulate these special device files. The issue was fixed by expanding the list of disallowed device names and improving the checks to reject any path component that matches these names regardless of extensions or spaces. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to craft file paths that exploit Windows special device names with extensions or trailing spaces, potentially leading to unauthorized file access or manipulation. This can result in security issues such as path traversal attacks or improper file handling, which may compromise the integrity or confidentiality of your application data on Windows systems. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to the Werkzeug library's safe_join function improperly allowing Windows special device names with extensions or trailing spaces. Detection involves checking if your system is running a vulnerable version of Werkzeug (prior to 3.1.5) and if any file paths use Windows special device names such as CON, AUX, NUL, COM1, LPT1, including variants with extensions or trailing spaces. There are no specific network commands provided to detect exploitation attempts. However, you can check the Werkzeug version installed by running: `pip show werkzeug` or `pip list | grep werkzeug`. To detect suspicious file paths in your application logs or code, you might search for patterns matching these device names with extensions or trailing spaces. For example, on Windows PowerShell, you could run commands to find files or paths matching these patterns, but no explicit commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Werkzeug to version 3.1.5 or later, where the safe_join function has been patched to disallow Windows special device names with extensions or trailing spaces. This update expands the list of disallowed device names and improves path validation to prevent exploitation. Until upgraded, avoid using unsafe path joins with user-supplied input that could include Windows device names with extensions or trailing spaces. [1]