Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-67 (Windows设备名处理不恰当) — Vulnerability Class 5

5 vulnerabilities classified as CWE-67 (Windows设备名处理不恰当). AI Chinese analysis included.

CWE-67 represents a critical input validation weakness where applications fail to properly sanitize or recognize reserved Windows device names, such as CON, AUX, PRN, COM1, and LPT1, within constructed file paths. Attackers typically exploit this vulnerability by injecting these special identifiers into user-supplied input fields, tricking the application into interpreting them as hardware devices rather than standard files. This manipulation often results in severe denial of service conditions, as the operating system may block access to the device, or lead to unintended information exposure if the application behaves unpredictably. To mitigate this risk, developers must implement rigorous input validation that explicitly rejects or escapes these reserved keywords before processing. Additionally, using safe path-handling libraries that abstract direct OS interactions can prevent the application from inadvertently resolving these dangerous names, ensuring robust defense against path traversal and device manipulation attacks.

MITRE CWE Description
The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A product that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.
Common Consequences (1)
Availability, Confidentiality, OtherDoS: Crash, Exit, or Restart, Read Application Data, Other
Mitigations (1)
ImplementationBe familiar with the device names in the operating system where your system is deployed. Check input for these device names.
CVE IDTitleCVSSSeverityPublished
CVE-2026-27199 Werkzeug safe_join() allows Windows special device names — werkzeug 7.5AIHighAI2026-02-21
CVE-2026-21860 Werkzeug safe_join() allows Windows special device names with compound extensions — werkzeug 7.5 -2026-01-08
CVE-2025-66221 Werkzeug safe_join() allows Windows special device names — werkzeug--2025-11-29
CVE-2024-51745 Wasmtime doesn't fully sandbox all the Windows device filenames — wasmtime 8.2AIHighAI2024-11-05
CVE-2024-35197 gix refs and paths with reserved Windows device names access the devices — gitoxide 5.4 Medium2024-05-23

Vulnerabilities classified as CWE-67 (Windows设备名处理不恰当) represent 5 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.