GHSA-87hc-h4r5-73f7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-87hc-h4r5-73f7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-87hc-h4r5-73f7/GHSA-87hc-h4r5-73f7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-87hc-h4r5-73f7
- Aliases
- Downstream
- Published
- 2026-01-08T19:51:21Z
- Modified
- 2026-01-08T22:01:40.408683Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Werkzeug safe_join() allows Windows special device names with compound extensions
- Details
-
Werkzeug's
safe_joinfunction allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such asCON,AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such asCON.txt, or trailing spaces such asCON.This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as
CON.txt.htmlor trailing spaces. It also missed some additional special names.send_from_directoryusessafe_jointo safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. - Database specific
{ "cwe_ids": [ "CWE-67" ], "severity": "MODERATE", "nvd_published_at": "2026-01-08T19:15:59Z", "github_reviewed": true, "github_reviewed_at": "2026-01-08T19:51:21Z" }- References
Affected packages
PyPI / werkzeug
Package
- Name
- werkzeug
- View open source insights on deps.dev
- Purl
- pkg:pypi/werkzeug
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.1.5