{"id":"CVE-2024-49766","summary":"Werkzeug safe_join not safe on Windows","details":"Werkzeug is a Web Server Gateway Interface web application library. On Python \u003c 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python \u003e= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.","aliases":["GHSA-f9vj-2wh5-fj8j"],"modified":"2026-04-10T05:18:02.499134Z","published":"2024-10-25T19:22:36.380Z","related":["CGA-67rq-wq88-mqrf"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49766.json","cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/pallets/werkzeug/releases/tag/3.0.6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49766.json"},{"type":"ADVISORY","url":"https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49766"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250131-0005/"},{"type":"FIX","url":"https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pallets/werkzeug","events":[{"introduced":"0"},{"fixed":"5eaefc3996aa5cc8c5237d8b82f1b89eed6ea624"}]}],"versions":["0.1","0.10","0.11","0.12","0.13","0.14","0.15.0","0.2","0.3","0.4","0.4.1","0.6","0.6.1","0.6.2","0.7","0.8","0.9","1.0.0","1.0.0rc1","2.0.0","2.0.0rc1","2.0.0rc2","2.0.0rc3","2.0.0rc4","2.0.0rc5","2.1.0","2.2.0","2.2.0a1","3.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49766.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}