CWE-67

Improper Handling of Windows Device Names

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

CVE-2025-66221 (GCVE-0-2025-66221)
Vulnerability from cvelistv5
Published
2025-11-29 02:28
Modified
2025-12-01 15:35
Severity ?
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CWE
  • CWE-67 - Improper Handling of Windows Device Names
Summary
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4.
References
Impacted products
Vendor Product Version
pallets werkzeug Version: < 3.1.4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66221",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-01T15:35:05.219216Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-01T15:35:25.271Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "werkzeug",
          "vendor": "pallets",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug\u0027s safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-67",
              "description": "CWE-67: Improper Handling of Windows Device Names",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-29T02:28:34.524Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2"
        },
        {
          "name": "https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13"
        },
        {
          "name": "https://github.com/pallets/werkzeug/releases/tag/3.1.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pallets/werkzeug/releases/tag/3.1.4"
        }
      ],
      "source": {
        "advisory": "GHSA-hgf8-39gv-g3f2",
        "discovery": "UNKNOWN"
      },
      "title": "Werkzeug safe_join() allows Windows special device names"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66221",
    "datePublished": "2025-11-29T02:28:34.524Z",
    "dateReserved": "2025-11-24T23:01:29.679Z",
    "dateUpdated": "2025-12-01T15:35:25.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}
Mitigation

Phase: Implementation

Description:

  • Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page