CVE-2025-66221

Description

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4.

CVSS v3.1 Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weakness Type (CWE)

CWE-67 CWE-67

Affected Products

Vendor	Product	Versions
palletsprojects	werkzeug	< 3.1.4
microsoft	windows	All

References

Advisories & Patches

https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13 https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2

Other References

https://github.com/pallets/werkzeug/releases/tag/3.1.4

Frequently Asked Questions

What is CVE-2025-66221? +

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4. It has a CVSS v3.1 base score of 5.3 (MEDIUM).

How severe is CVE-2025-66221? +

CVE-2025-66221 has a CVSS v3.1 score of 5.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-66221? +

CVE-2025-66221 affects products from microsoft, palletsprojects, specifically: werkzeug, windows. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-66221? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-51745 10.0

Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device …

CVE-2024-35197 5.4

gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from …

CVE-2025-27516 8.8

Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the …

CVE-2024-56201 8.8

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja …

CVE-2024-56326 7.8

Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to …

CVE-2024-49767 7.5

Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior …