[Snyk: Medium] Improper Handling of Windows Device Names (Due: 04/25/26)

[tmpayton]

Vulnerability

CWE-67Open this link in a new tab
CVE-2026-27199Open this link in a new tab
CVSS 6.3Open this link in a new tab medium

SNYK-PYTHON-WERKZEUG-15322677Open this link in a new tab

Introduced through
werkzeug@3.1.5, flask@3.1.0 and others

Fixed in
werkzeug@3.1.6
Exploit maturity
No known exploit
Show less detail
Detailed paths and remediation
Introduced through: root@0.0.0 › werkzeug@3.1.5
Fix: Upgrade werkzeug to version 3.1.6
Introduced through: root@0.0.0 › flask@3.1.0 › werkzeug@3.1.5
Fix: Pin werkzeug to version 3.1.6
Introduced through: root@0.0.0 › flask-cors@6.0.0 › werkzeug@3.1.5
Fix: Pin werkzeug to version 3.1.6
…and 4 more

Security information

Factors contributing to the scoring:
Snyk: CVSS v4.0 6.3 - Medium Severity | CVSS v3.1 3.7 - Low Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Improper Handling of Windows Device Names via the safe_join function. An attacker can cause the application to hang indefinitely by requesting a path ending with a Windows special device name.

Notes:

This is only vulnerable on Windows, where special device names are implicitly present in every directory;

This is a bypass of CVE-2025-66221, as the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL.

Completion Criteria

• Upgrade werkzeug to v3.1.6