Werkzeug Safe Join Function Vulnerability Allowing Windows Device Names

A vulnerability exists in Werkzeug's safe_join function prior to version 3.1.5, allowing the inclusion of Windows special device names with file extensions or trailing spaces. These device names, such as CON and AUX, are universally accessible in all directories on Windows. The vulnerability can be exploited when the application uses safe_join to serve files from user-specified paths, particularly if the requested path ends with a device name, causing the file read operation to hang indefinitely.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where file read operations are indefinitely stalled.

Reproduction

The vulnerability can be reproduced by using the safe_join function on a Windows system. Path segments can be crafted to include special device names like 'CON' or 'AUX', appended with a file extension or trailing spaces. When these paths are processed by the safe_join function, the inclusion of the device names is not properly sanitized, allowing them to be used in file operations. This can be automated with a test that simulates the conditions, such as the 'test_safe_join_windows_special' function in the Werkzeug test suite, which verifies that the safe_join function correctly disallows these device names on Windows.

Remediation

Users should upgrade to Werkzeug version 3.1.5 or later, where this vulnerability has been patched.