Path Manipulation Vulnerability in Werkzeug Web Application Library
CVE-2025-66221

6.3MEDIUM

Key Information:

Vendor

Pallets

Status
Werkzeug
Vendor
CVE Published:
29 November 2025

What is CVE-2025-66221?

The Werkzeug library prior to version 3.1.4 contains a vulnerability in its safe_join function, which allows for path segments that include Windows device names. On Windows systems, these device names such as CON and AUX can lead to unexpected behavior when accessing files. Specifically, when a request path ends with a device name, the application may open the file but hang indefinitely during reading. This behavior underscores a potential for service disruption in applications running on Windows. It is important for users to update to version 3.1.4 or later to mitigate this issue.

Affected Version(s)

werkzeug < 3.1.4

References

https://github.com/pallets/werkzeug/security/advisories/G...
x_refsource_CONFIRM
https://github.com/pallets/werkzeug/commit/4b833376a45c32...
x_refsource_MISC
https://github.com/pallets/werkzeug/releases/tag/3.1.4
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.