Werkzeug Safe Join Function Vulnerability Allowing Windows Device Name Paths

A vulnerability exists in Werkzeug's safe_join function in versions prior to 3.1.4, allowing the use of Windows special device names as path segments. On Windows, device names like CON and AUX are always present and readable in any directory. The send_from_directory function, which relies on safe_join to serve files from user-specified paths, can be exploited by requesting a path that ends with a device name. While the file will be opened, the read operation will hang indefinitely. This issue has been addressed in Werkzeug version 3.1.4.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where file reading operations hang indefinitely.

Reproduction

To reproduce this vulnerability, use Werkzeug versions prior to 3.1.4 on a Windows system. Request a file from a directory using the send_from_directory function, ensuring that the path ends with a special device name like CON or AUX. The file will be opened, but the reading process will become unresponsive.

Remediation

Users can upgrade to Werkzeug version 3.1.4 or later, where this vulnerability has been fixed.