Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Werkzeug's safe_join function allows malicious Windows filenames
CVE-2026-27199
GHSA-29vq-49wr-vm6x
Summary
Werkzeug's safe_join function allows attackers to trick the application into serving files with Windows device names as filenames. This can cause the application to hang indefinitely if the requested path ends with a special device name. To fix this, update Werkzeug to the latest version or use an alternative method to serve files safely.
What to do
- Update werkzeug to version 3.1.6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | werkzeug | <= 3.1.6 | 3.1.6 |
| palletsprojects | werkzeug | <= 3.1.6 | – |
Original title
Werkzeug safe_join() allows Windows special device names
Original description
Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments.
This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`.
`send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`.
`send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
nvd CVSS3.1
5.3
nvd CVSS4.0
6.3
Vulnerability type
CWE-67
- https://nvd.nist.gov/vuln/detail/CVE-2026-27199
- https://github.com/advisories/GHSA-29vq-49wr-vm6x
- https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d93... Patch
- https://github.com/pallets/werkzeug/releases/tag/3.1.6 Release Notes
- https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x Vendor Advisory
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026