CVE-2026-27199
EPSS 0.03%Werkzeug safe_join() allows Windows special device names
發布日:2026/2/19修改日:2026/2/23
描述
Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
受影響套件(1)
- PyPI/werkzeugfrom 0, < 3.1.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27199
- PATCHhttps://github.com/pallets/werkzeug
- WEBhttps://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d
- WEBhttps://github.com/pallets/werkzeug/releases/tag/3.1.6
- WEBhttps://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x