Issue created from vulnerability <a href="https://labs.etsi.org/rep/ocf/capif/-/security/vulnerabilities/96">96</a> ### Description: Werkzeug&#39;s `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. * Severity: medium * Location: [services/TS29222_CAPIF_API_Invoker_Management_API/requirements.txt](https://labs.etsi.org/rep/rep/ocf/capif/-/blob/f0493bd7e0be6a39e7590621a26b3ba927b008d1/services/TS29222_CAPIF_API_Invoker_Management_API/requirements.txt) ### Solution: Upgrade to version 3.1.4 or above. ### Identifiers: * [Gemnasium-be0d5a98-dadd-4303-926d-d5fe6b4765b2](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/pypi/Werkzeug/CVE-2025-66221.yml) * [CVE-2025-66221](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66221) * [GHSA-hgf8-39gv-g3f2](https://github.com/advisories/GHSA-hgf8-39gv-g3f2) ### Links: * https://github.com/advisories/GHSA-hgf8-39gv-g3f2 * https://github.com/pallets/werkzeug * https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13 * https://github.com/pallets/werkzeug/releases/tag/3.1.4 * https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2 * https://nvd.nist.gov/vuln/detail/CVE-2025-66221 ### Scanner: * Name: gemnasium-python