View all vulnerabilities

CVE-2024-49766

Werkzeug safe_join not safe on Windows

On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
5.3
Score Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Versions
werkzeug < 3.0.6
Severity
Medium
Ecosystem
Python
Publish Date
October 25, 2024
Modified Date
January 31, 2025