Improper Handling of Windows Device Names in Werkzeug

CVE-2026-21860

Werkzeug

Medium

6.3/10

Summary

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's "safe_join()" function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as "CON.txt", or trailing spaces such as CON. This issue has been patched in version 3.1.5.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-67 - Improper Handling of Windows Device Names

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

References

Advisory Timeline

Published Jan 08, 2026

Improper Handling of Windows Device Names in Werkzeug

CVE-2026-21860

Summary

CWE-67 - Improper Handling of Windows Device Names

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS