Moderate severityNVD Advisory· Published Oct 25, 2024· Updated Jan 31, 2025
Werkzeug safe_join not safe on Windows
CVE-2024-49766
Description
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WerkzeugPyPI | < 3.0.6 | 3.0.6 |
Affected products
62- osv-coords61 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-3-bitnami-compatpkg:apk/chainguard/airflow-3-compatpkg:apk/chainguard/airflow-core-2pkg:apk/chainguard/emissarypkg:apk/chainguard/emissary-apiextpkg:apk/chainguard/emissary-oci-entrypointpkg:apk/chainguard/kubeflow-jupyter-web-apppkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/kubeflow-volumes-web-apppkg:apk/chainguard/mlflowpkg:apk/chainguard/mlflow-bitnamipkg:apk/chainguard/mlflow-iamguarded-compatpkg:apk/chainguard/py3.10-ambassadorpkg:apk/chainguard/py3.10-werkzeugpkg:apk/chainguard/py3.11-ambassadorpkg:apk/chainguard/py3.11-werkzeugpkg:apk/chainguard/py3.12-ambassadorpkg:apk/chainguard/py3.12-werkzeugpkg:apk/chainguard/py3.13-ambassadorpkg:apk/chainguard/py3.13-werkzeugpkg:apk/chainguard/py3-supported-werkzeugpkg:apk/chainguard/py3-werkzeugpkg:apk/chainguard/supersetpkg:apk/chainguard/superset-cipkg:apk/chainguard/superset-entrypointpkg:apk/chainguard/superset-iamguarded-compatpkg:apk/wolfi/airflow-3pkg:apk/wolfi/airflow-3-bitnami-compatpkg:apk/wolfi/airflow-3-compatpkg:apk/wolfi/emissarypkg:apk/wolfi/emissary-apiextpkg:apk/wolfi/emissary-oci-entrypointpkg:apk/wolfi/kubeflow-jupyter-web-apppkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/kubeflow-volumes-web-apppkg:apk/wolfi/mlflowpkg:apk/wolfi/mlflow-bitnamipkg:apk/wolfi/mlflow-iamguarded-compatpkg:apk/wolfi/py3.10-ambassadorpkg:apk/wolfi/py3.10-werkzeugpkg:apk/wolfi/py3.11-ambassadorpkg:apk/wolfi/py3.11-werkzeugpkg:apk/wolfi/py3.12-ambassadorpkg:apk/wolfi/py3.12-werkzeugpkg:apk/wolfi/py3.13-ambassadorpkg:apk/wolfi/py3.13-werkzeugpkg:apk/wolfi/py3-supported-werkzeugpkg:apk/wolfi/py3-werkzeugpkg:apk/wolfi/supersetpkg:apk/wolfi/superset-cipkg:apk/wolfi/superset-entrypointpkg:apk/wolfi/superset-iamguarded-compatpkg:deb/ubuntu/python-werkzeug?arch=src?distro=esm-infra/bionicpkg:deb/ubuntu/python-werkzeug?arch=src?distro=esm-infra/xenialpkg:deb/ubuntu/python-werkzeug?arch=src?distro=focalpkg:deb/ubuntu/python-werkzeug?arch=src?distro=jammypkg:deb/ubuntu/python-werkzeug?arch=src?distro=noblepkg:deb/ubuntu/python-werkzeug?arch=src?distro=oracularpkg:pypi/werkzeug
< 2.11.1-r0+ 60 more
- (no CPE)range: < 2.11.1-r0
- (no CPE)range: < 3.2.0-r0
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 2.11.1-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 2.4.0-r0
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 3.2.0-r0
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 2.4.0-r0
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 3.0.6
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f9vj-2wh5-fj8jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-49766ghsaADVISORY
- github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092ghsax_refsource_MISCWEB
- github.com/pallets/werkzeug/releases/tag/3.0.6ghsax_refsource_MISCWEB
- github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8jghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20250131-0005ghsaWEB
News mentions
0No linked articles in our index yet.