Safety vulnerability ID: 73969
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of Werkzeug are vulnerable to Path Traversal (CWE-22) on Windows systems running Python versions below 3.11. The safe_join() function failed to properly detect certain absolute paths on Windows, allowing attackers to potentially access files outside the intended directory. An attacker could craft special paths starting with "/" that bypass the directory restrictions on Windows systems. The vulnerability exists in the safe_join() function which relied solely on os.path.isabs() for path validation. This is exploitable on Windows systems by passing paths starting with "/" to safe_join(). To remediate, upgrade to the latest version which includes additional path validation checks.
NOTE: This vulnerability specifically affects Windows systems running Python versions below 3.11 where ntpath.isabs() behavior differs.
Latest version: 3.1.3
The comprehensive WSGI web application library.
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application