CVE-2024-49766 in Werkzeuginfo

Summary

by MITRE • 10/25/2024

Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 12/03/2025

This vulnerability affects the Werkzeug web application library, which serves as a Web Server Gateway Interface implementation for python applications. The flaw specifically manifests on python versions prior to 3.11 when running on windows operating systems, creating a path traversal risk through improper handling of UNC (Universal Naming Convention) paths. UNC paths follow the format //server/share and are commonly used in windows networking environments to access shared resources across a network. The vulnerability stems from the os.path.isabs() function in older python versions not properly recognizing these UNC paths as absolute paths, leading to a false negative in path validation checks.

The technical implementation of this vulnerability occurs within Werkzeug's safe_join() function which relies on os.path.isabs() to validate whether paths are absolute before processing them. When a UNC path like //server/share is encountered, the function fails to identify it as absolute, causing the safe_join() function to proceed with path processing without proper sanitization. This creates a potential security bypass where maliciously crafted input could lead to directory traversal attacks, allowing unauthorized access to network shares and potentially sensitive data stored on remote servers. The vulnerability represents a classic path normalization issue that can be exploited to access resources outside the intended application scope.

The operational impact of this vulnerability is significant for organizations running vulnerable Werkzeug versions on windows systems with python < 3.11. Attackers could potentially exploit this weakness to access network shares, read files from remote servers, or gain unauthorized access to data that should remain protected. The risk is particularly concerning in enterprise environments where windows servers host web applications using Werkzeug, as it could lead to data breaches or lateral movement within network infrastructures. The vulnerability affects any application that uses Werkzeug's safe_join() function for path handling, making it a widespread concern across various web applications and frameworks that depend on this library.

Organizations should immediately upgrade to Werkzeug version 3.0.6 or later, which includes a patch addressing this specific issue. The patch modifies the path validation logic to properly handle UNC paths regardless of python version or operating system. Systems running python 3.11 or later are inherently protected due to improved path handling in newer python versions. For environments where immediate upgrades are not feasible, administrators should implement additional input validation measures and monitor network traffic for suspicious path access patterns. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and could be categorized under ATT&CK technique T1074 (Data Staged) when exploited for unauthorized data access. Organizations should also consider implementing network segmentation and access controls to limit potential damage from any successful exploitation attempts.

Responsible

GitHub M

Reservation

10/18/2024

Disclosure

10/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00786

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!