Werkzeug Safe Join Function Vulnerability Allowing Windows Device Names

A vulnerability exists in Werkzeug versions prior to 3.1.6 within the safe_join function, which improperly allows Windows special device names as filenames if preceded by other path segments. This issue arises because safe_join can handle multi-segment paths, such as 'example/NUL'. The vulnerability is exploited when the send_from_directory function, which relies on safe_join to serve files from user-specified paths, is used on a Windows system. If the requested path ends with a device name, the file will be opened, but the read operation will hang indefinitely.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the application hangs indefinitely while attempting to read a file that was opened successfully.

Reproduction

To reproduce this vulnerability, use Werkzeug versions prior to 3.1.6 and create a path that includes a Windows special device name, such as 'NUL', preceded by another path segment. When this path is requested through the send_from_directory function, the application will hang while trying to read the file, demonstrating the denial-of-service condition.

Remediation

Users can upgrade to Werkzeug version 3.1.6 or later, where this vulnerability has been fixed.