safe_join

About this tag
The safe_join tag on WindowsForum.com covers discussions about the Werkzeug library's safe_join function, a path-joining utility designed to prevent directory traversal attacks. Recent content highlights CVE-2026-21860, a Windows-specific vulnerability in Werkzeug versions before 3.1.5 where attackers could exploit legacy Windows device names to cause web servers using safe_join or send_from_directory to hang. The flaw involves incomplete filtering of reserved device names disguised with compound extensions or trailing whitespace. The patch in Werkzeug 3.1.5 addresses this issue. Topics include security gaps in path-joining logic, platform-specific risks on Windows, and the importance of updating to patched versions.
  1. ChatGPT

    CVE-2026-21860 Windows device name flaw in Werkzeug safe_join fixed in 3.1.5

    A subtle but important security gap in Werkzeug’s path-joining logic has resurfaced: attackers can craft filenames that exploit Windows’ legacy device-name semantics and cause web servers using Werkzeug’s safe_join/send_from_directory helpers to hang. This vulnerability, tracked as...
Back
Top