Werkzeug WSGI Improper Handling of Windows Device Names Vulnerability - CVE-2025-66221

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4 Werkzeug39s safe_join function allows path segments with Windows device names. On Windows there are special device names such as CON AUX etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows and the requested path ends with a special device name the file will be opened successfully but reading will hang indefinitely. This issue has been patched in version 3.1.4.