CVE-2025-66221: Werkzeug safe_join() allows Windows special device names

Published Nov 29, 2025
·
Updated

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4.

Affected Software

8 affected componentsFixes available
Pallets Werkzeug<3.1.4
pip/werkzeug<3.1.4
3.1.4
All of the following
palletsprojects Werkzeug<3.1.4
Microsoft Windows
Microsoft cbl2 python-tensorboard 2.11.0-3
Microsoft azl3 python-tensorboard 2.16.2-6
Microsoft azl3 tensorflow 2.16.1-9
IBM watsonx.data intelligence<=5.2.0, 5.2.1, 5.3.0, 5.3.1

Remediation

Patch Available

https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13

Event History

Nov 29, 2025
CVE Published
via MITRE·02:28 AM
Data Sourced
via MITRE·02:28 AM
DescriptionWeakness
Data Sourced
via NVD·03:16 AM
RemedyDescriptionSeverityWeaknessAffected Software
Dec 2, 2025
Advisory Published
via GitHub·12:27 AM
Data Sourced
via GitHub·12:27 AM
DescriptionWeaknessAffected Software
Dec 3, 2025
Data Sourced
via Microsoft·01:01 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·01:01 AM
Affected Software
Updated
via Microsoft·01:01 AM
DescriptionSeverity
Apr 27, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-66221?

CVE-2025-66221 has been classified with medium severity due to the potential exposure of sensitive information through the unsafe handling of path segments.

2

How do I fix CVE-2025-66221?

To fix CVE-2025-66221, upgrade Werkzeug to version 3.1.4 or later where the vulnerability is addressed.

3

What specific issue does CVE-2025-66221 address?

CVE-2025-66221 addresses the vulnerability in Werkzeug's safe_join function that allows path segments with special Windows device names, which may lead to unauthorized access.

4

Which versions of Werkzeug are affected by CVE-2025-66221?

Werkzeug versions prior to 3.1.4 are affected by CVE-2025-66221.

5

Is there a patch for CVE-2025-66221?

Yes, the patch for CVE-2025-66221 is included in Werkzeug version 3.1.4 and later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203