Improper Handling of Windows Device Names

CVE-2025-66221

Medium

6.3/10

Summary

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's "safe_join" function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. "send_from_directory" uses "safe_join" to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-67 - Improper Handling of Windows Device Names

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

References

Advisory Timeline

Published Nov 29, 2025

Improper Handling of Windows Device Names

CVE-2025-66221

Summary

CWE-67 - Improper Handling of Windows Device Names

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS