Description
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5.
Published: 2026-01-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read arbitrary Windows device files
Action: Upgrade to 3.1.5
AI Analysis

Impact

Werkzeug is a Python WSGI library used to build web applications. A flaw was discovered in the safe_join helper function used to combine path components before version 3.1.5. The function fails to reject Windows‑specific device names such as CON, AUX, PRN, NUL, COM1–COM9, and LPT1–LPT9 when those names are combined with file extensions or trailing spaces. Because Windows treats these names as built‑in devices accessible from any directory, an attacker can construct a request that resolves to a device stream and read its contents or enumerate the devices, exposing data that the application should not normally access.

Affected Systems

The vulnerability affects all releases of Werkzeug prior to 3.1.5 that run on Windows operating systems. It is relevant to any Python web application that includes Werkzeug as a dependency, such as Flask or other frameworks that rely on Werkzeug’s safe_join for file handling. The issue does not exist in non‑Windows environments, nor in Werkzeug versions 3.1.5 and newer, where the fix is already in place.

Risk and Exploitability

The CVSS score is 6.3, indicating a moderate severity. Ephemeral probability of exploitation is low (< 1 %) and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The attack requires that the application uses safe_join to construct a file path on a Windows host; an attacker could supply a crafted path or file name, cause safe_join to resolve to a device name, and then read the resulting device stream. The low exploitation likelihood, coupled with the availability of a straightforward patch, means the risk to a well‑maintained systems portfolio is modest.

Generated by OpenCVE AI on April 18, 2026 at 07:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Werkzeug to version 3.1.5 or later.
  • If patch cannot be applied immediately, implement custom validation to reject filenames containing Windows device names such as CON, AUX, PRN, NUL, COM1–COM9, and LPT1–LPT9, including their variants with extensions or trailing spaces.
  • Configure the application to run with minimal privileges and enforce directory restrictions to prevent unintended file system access.

Generated by OpenCVE AI on April 18, 2026 at 07:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87hc-h4r5-73f7 Werkzeug safe_join() allows Windows special device names with compound extensions
History

Mon, 02 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:palletsprojects:werkzeug:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
Palletsprojects
Palletsprojects werkzeug
Vendors & Products Microsoft
Microsoft windows
Palletsprojects
Palletsprojects werkzeug

Thu, 08 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
Description Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5.
Title Werkzeug safe_join() allows Windows special device names with compound extensions
Weaknesses CWE-67
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Microsoft Windows
Palletsprojects Werkzeug
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:50:34.504Z

Reserved: 2026-01-05T16:44:16.367Z

Link: CVE-2026-21860

cve-icon Vulnrichment

Updated: 2026-01-08T18:50:31.180Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T19:15:59.000

Modified: 2026-02-02T17:15:30.510

Link: CVE-2026-21860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses