CVE-2024-49766 – This vulnerability in Werkzeug's safe

📋 TL;DR

This vulnerability in Werkzeug's safe_join() function on Windows with Python < 3.11 allows UNC path bypass, potentially enabling directory traversal attacks. Attackers could access files outside intended directories. Only affects Windows systems running Python < 3.11 with vulnerable Werkzeug versions.

💻 Affected Systems

Products:

Werkzeug

Versions: All versions before 3.0.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when running Python < 3.11 on Windows. Python 3.11+ or non-Windows systems are not affected.

📦 What is this software?

Werkzeug by Palletsprojects

View all CVEs affecting Werkzeug →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized file read access to sensitive system files or application data through directory traversal

🟠

Likely Case

Limited file disclosure from web-accessible directories if specific conditions are met

🟢

If Mitigated

No impact with proper input validation or updated components

🌐 Internet-Facing: MEDIUM - Web applications are exposed but exploitation requires specific conditions

🏢 Internal Only: LOW - Internal applications have reduced attack surface

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific conditions: Windows, Python < 3.11, and vulnerable Werkzeug version. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.6

Vendor Advisory: https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j

Restart Required: Yes

Instructions:

1. Update Werkzeug: pip install --upgrade werkzeug==3.0.6
2. Restart the application/service
3. Verify the update with: pip show werkzeug

🔧 Temporary Workarounds

Upgrade Python to 3.11+

windows

Upgrade Python to version 3.11 or higher where os.path.isabs() properly handles UNC paths

Input validation wrapper

all

Implement custom validation to reject UNC paths before safe_join()

🧯 If You Can't Patch

Deploy web application firewall (WAF) rules to block UNC path patterns
Restrict file system permissions for the application user to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check Python version: python --version
Check Werkzeug version: pip show werkzeug | grep Version
If Python < 3.11 on Windows and Werkzeug < 3.0.6, system is vulnerable

Check Version:

pip show werkzeug | grep Version

Verify Fix Applied:

Verify Werkzeug version is 3.0.6+: pip show werkzeug | grep Version
Test with sample UNC path input to ensure safe_join() rejects it

📡 Detection & Monitoring

Log Indicators:

UNC path patterns in request logs (//server/share)
Failed file access attempts outside expected directories

Network Indicators:

Unusual file access patterns from web endpoints

SIEM Query:

source="web_logs" AND ("//" OR "\\\\") AND path="*"

📊 Metadata

CVE ID: CVE-2024-49766

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

Published: October 25, 2024

Last Updated: December 3, 2025

🔗 References

https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092 Patch
https://github.com/pallets/werkzeug/releases/tag/3.0.6 Release Notes
https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j Vendor Advisory
https://security.netapp.com/advisory/ntap-20250131-0005/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49766, you might also want to check these: