PyPI: werkzeug
CVE-2025-66221
Safety vulnerability ID: SFTY-20251202-73741
Safety legacy ID: pyup.io-82196
Affected versions of the Werkzeug package are vulnerable to Denial of Service (DoS) due to improper handling of Windows special device names in the safe_join function. In Werkzeug versions before 3.1.4, safe_join permits path segments such as “CON” or “AUX” to pass validation, allowing send_from_directory to construct a path that resolves to a Windows device file, which opens successfully but then blocks indefinitely when read.
Overview
Werkzeug safe_join() allows Windows special device names
Advisory
Affected versions of the Werkzeug package are vulnerable to Denial of Service (DoS) due to improper handling of Windows special device names in the safe_join function. In Werkzeug versions before 3.1.4, safe_join permits path segments such as “CON” or “AUX” to pass validation, allowing send_from_directory to construct a path that resolves to a Windows device file, which opens successfully but then blocks indefinitely when read.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20251202-73741/CVE-2025-66221
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66221
- https://github.com/advisories/GHSA-hgf8-39gv-g3f2
- https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13
- https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2
- https://nvd.nist.gov/vuln/detail/CVE-2025-66221
- https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13
- https://github.com/pallets/werkzeug/releases/tag/3.1.4
- https://github.com/advisories/GHSA-hgf8-39gv-g3f2
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more