Vulnerability in Pallets Werkzeug

CVE-2025-66221

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are impli…

EPSS: 0.000 (9.6th percentile) — read the EPSS interpretation.

Affected products

Pallets Werkzeug — versions < 3.1.4

Weakness classification (CWE)

CWE-67

References

https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2 (x_refsource_CONFIRM)
https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13 (x_refsource_MISC)
https://github.com/pallets/werkzeug/releases/tag/3.1.4 (x_refsource_MISC)