Cybersecurity Vulnerabilities

CVE-2025-66221: Werkzeug Vulnerability Leads to Potential Denial-of-Service on Windows

November 29, 2025 - By 

Overview

CVE-2025-66221 describes a security vulnerability in Werkzeug, a comprehensive WSGI web application library. Specifically, the safe_join function, when used in conjunction with send_from_directory on Windows operating systems, can lead to a denial-of-service (DoS) condition. This occurs because safe_join incorrectly handles path segments containing Windows device names (e.g., CON, AUX). This vulnerability is patched in Werkzeug version 3.1.4.

Technical Details

On Windows systems, certain device names like “CON,” “AUX,” “PRN,” “NUL,” “COM1,” “COM2,” etc. are reserved and implicitly exist in every directory. When Werkzeug’s safe_join function processes a path ending with such a device name, it fails to properly sanitize it. Consequently, when send_from_directory attempts to serve a file using this unsanitized path, the operating system successfully opens the device. However, attempting to read from these devices will typically result in the process hanging indefinitely, leading to a DoS. The core problem resides in the insufficient input validation performed by the safe_join function regarding reserved Windows device names.

CVSS Analysis

Currently, a CVSS score is not available (N/A) for this vulnerability. However, based on the potential impact, it’s likely to be classified as a moderate to high severity issue, especially if exploitable without authentication.

Possible Impact

The primary impact of CVE-2025-66221 is a denial-of-service (DoS). An attacker could craft a malicious URL that, when processed by a Werkzeug-based application running on Windows, leads to a server thread or process hanging indefinitely. This could exhaust server resources, making the application unresponsive to legitimate users. The vulnerability is only exploitable if the application uses send_from_directory and allows user-specified paths.

Mitigation and Patch Steps

The recommended mitigation is to upgrade Werkzeug to version 3.1.4 or later. This version includes a patch that properly handles Windows device names within the safe_join function. To upgrade, use pip:

pip install -U Werkzeug

After upgrading, ensure that all deployed applications are restarted to apply the changes.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *