Skip to content

chore(deps): update dependency werkzeug to v3.1.6 [security]#242

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-werkzeug-vulnerability
Open

chore(deps): update dependency werkzeug to v3.1.6 [security]#242
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-werkzeug-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 20, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
werkzeug (changelog) ==3.1.5==3.1.6 age confidence

Werkzeug safe_join() allows Windows special device names

CVE-2026-27199 / GHSA-29vq-49wr-vm6x

More information

Details

Werkzeug's safe_join function allows Windows device names as filenames if when preceded by other path segments.

This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL.

send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pallets/werkzeug (werkzeug)

v3.1.6

Compare Source

Released 2026-02-19

  • safe_join on Windows does not allow special devices names in
    multi-segment paths. :ghsa:29vq-49wr-vm6x

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch from 1d43a0c to 6a2ed25 Compare February 20, 2026 13:25
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 2 times, most recently from 424598f to d742a34 Compare February 23, 2026 09:04
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 2 times, most recently from 6f0dd38 to 1ab8533 Compare March 2, 2026 18:14
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 2 times, most recently from 12a2fe2 to e0a07c1 Compare March 11, 2026 11:52
@renovate renovate Bot changed the title chore(deps): update dependency werkzeug to v3.1.6 [security] chore(deps): update dependency werkzeug to v3.1.6 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/pypi-werkzeug-vulnerability branch March 27, 2026 02:14
@renovate renovate Bot changed the title chore(deps): update dependency werkzeug to v3.1.6 [security] - autoclosed chore(deps): update dependency werkzeug to v3.1.6 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 2 times, most recently from e0a07c1 to 2feaa80 Compare March 30, 2026 18:16
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 4 times, most recently from 26a9bbd to 83434a4 Compare April 13, 2026 09:59
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch from 83434a4 to ef15719 Compare April 13, 2026 10:07
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 2 times, most recently from b1c6036 to 0ad4a01 Compare April 24, 2026 12:04
@renovate renovate Bot changed the title chore(deps): update dependency werkzeug to v3.1.6 [security] chore(deps): update dependency werkzeug to v3.1.6 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency werkzeug to v3.1.6 [security] - autoclosed chore(deps): update dependency werkzeug to v3.1.6 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 2 times, most recently from 0ad4a01 to 607d984 Compare April 27, 2026 20:59
@renovate renovate Bot force-pushed the renovate/pypi-werkzeug-vulnerability branch from 607d984 to 8ec8901 Compare April 28, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants