What is CVE-2024-49766?

CVE-2024-49766 is a vulnerability in Pallets Werkzeug, classified under Path Traversal. Published 2024-10-25.

Is CVE-2024-49766 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Pallets Werkzeug

CVE-2024-49766

Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is n…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.014 (80.7th percentile) — read the EPSS interpretation.

Affected products

Pallets Werkzeug — versions < 3.0.6

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

nvn1729/advisories

References

https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j (x_refsource_CONFIRM)
https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092 (x_refsource_MISC)
https://github.com/pallets/werkzeug/releases/tag/3.0.6 (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-49766?: CVE-2024-49766 is a vulnerability in Pallets Werkzeug, classified under Path Traversal. Published 2024-10-25.
Is CVE-2024-49766 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.