PyPI: mkdocs

CVE-2021-40978

Safety vulnerability ID: SFTY-20211007-44364

Safety legacy ID: pyup.io-54697

Mkdocs 1.2.3 includes a fix for CVE-2021-40978: Built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. NOTE: the vendor doesn't agree this is a security flaw. "It should be mentioned the dev server is known to not be secure and should not be used in a sensitive environment. The security flaw is using the dev-server in an unsafe way, e.g., as a public server and not just as a development server."

PythonPyPINVDNVDGitHubGHSA
Created at: Nov 5, 2025Updated at: Nov 5, 2025

Overview

Directory traversal in mkdocs

Advisory

Mkdocs 1.2.3 includes a fix for CVE-2021-40978: Built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. NOTE: the vendor doesn't agree this is a security flaw. "It should be mentioned the dev server is known to not be secure and should not be used in a sensitive environment. The security flaw is using the dev-server in an unsafe way, e.g., as a public server and not just as a development server."

Affected Package

Affecting mkdocs package, versions
>=0,<1.2.3

Also affects

---

How to Fix

Upgrade
mkdocs
to
1.2.3
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more