Description
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2
Patch x_refsource_misc
https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13
Release Notes x_refsource_misc
https://github.com/pallets/werkzeug/releases/tag/3.1.4
Scores
CVSS v3
5.3
EPSS
0.0003
EPSS Percentile
8.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-67
Status
published
Products (2)
palletsprojects/werkzeug
< 3.1.4
pypi/werkzeug
0 - 3.1.4PyPI
Published
Nov 29, 2025
Tracked Since
Feb 18, 2026