Summary
dash-enterprise-auth 0.2.5 pins werkzeug < 3.1, which blocks upgrading to werkzeug 3.1.5+ that patches CVE-2025-66221 (GHSA-hgf8-39gv-g3f2, CVSS 6.3).
Details
The vulnerability in werkzeug < 3.1.5 involves safe_join() improperly handling Windows special device names (e.g., CON, AUX, PRN), causing denial of service when send_from_directory() is used on Windows.
Dash 4.0.0 has already relaxed its werkzeug constraint to < 3.2, but dash-enterprise-auth still requires werkzeug < 3.1, creating a blocker in the dependency chain:
dash-enterprise-libraries 1.7.2
└── dash-enterprise-auth >= 0.2.4
└── werkzeug < 3.1 ← blocking constraint
Request
Please update the werkzeug version constraint in dash-enterprise-auth to allow werkzeug >= 3.1.5 (e.g., werkzeug < 3.2), aligning with Dash 4.0.0's constraint so downstream users can resolve CVE-2025-66221.
References
Summary
dash-enterprise-auth 0.2.5pinswerkzeug < 3.1, which blocks upgrading to werkzeug 3.1.5+ that patches CVE-2025-66221 (GHSA-hgf8-39gv-g3f2, CVSS 6.3).Details
The vulnerability in
werkzeug < 3.1.5involvessafe_join()improperly handling Windows special device names (e.g.,CON,AUX,PRN), causing denial of service whensend_from_directory()is used on Windows.Dash 4.0.0 has already relaxed its werkzeug constraint to
< 3.2, butdash-enterprise-authstill requireswerkzeug < 3.1, creating a blocker in the dependency chain:Request
Please update the werkzeug version constraint in
dash-enterprise-authto allowwerkzeug >= 3.1.5(e.g.,werkzeug < 3.2), aligning with Dash 4.0.0's constraint so downstream users can resolve CVE-2025-66221.References