Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-49766

Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.

Published

2024-10-25T20:15:04.410

Last Modified

2025-12-03T15:29:37.613

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	palletsprojects	werkzeug	< 3.0.6	Yes
Operating System	microsoft	windows	-	No

References

https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092 Patch ([email protected])
https://github.com/pallets/werkzeug/releases/tag/3.0.6 Release Notes ([email protected])
https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20250131-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)