Werkzeug possible resource exhaustion when parsing file data in forms
Description
Werkzeug is a Web Server Gateway Interface web application library. Applications using werkzeug.formparser.MultiPartParser corresponding to a version of Werkzeug prior to 3.0.6 to parse multipart/form-data requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WerkzeugPyPI | >= 2.0.0rc1, < 3.0.6 | 3.0.6 |
QuartPyPI | < 0.20.0 | 0.20.0 |
Affected products
61- osv-coords59 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-3-bitnami-compatpkg:apk/chainguard/airflow-3-compatpkg:apk/chainguard/airflow-core-2pkg:apk/chainguard/emissarypkg:apk/chainguard/emissary-apiextpkg:apk/chainguard/emissary-oci-entrypointpkg:apk/chainguard/kubeflow-jupyter-web-apppkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/kubeflow-volumes-web-apppkg:apk/chainguard/mlflowpkg:apk/chainguard/mlflow-bitnamipkg:apk/chainguard/mlflow-iamguarded-compatpkg:apk/chainguard/py3.10-ambassadorpkg:apk/chainguard/py3.10-werkzeugpkg:apk/chainguard/py3.11-ambassadorpkg:apk/chainguard/py3.11-werkzeugpkg:apk/chainguard/py3.12-ambassadorpkg:apk/chainguard/py3.12-werkzeugpkg:apk/chainguard/py3.13-ambassadorpkg:apk/chainguard/py3.13-werkzeugpkg:apk/chainguard/py3-supported-werkzeugpkg:apk/chainguard/py3-werkzeugpkg:apk/chainguard/supersetpkg:apk/chainguard/superset-cipkg:apk/chainguard/superset-entrypointpkg:apk/chainguard/superset-iamguarded-compatpkg:apk/wolfi/airflow-3pkg:apk/wolfi/airflow-3-bitnami-compatpkg:apk/wolfi/airflow-3-compatpkg:apk/wolfi/emissarypkg:apk/wolfi/emissary-apiextpkg:apk/wolfi/emissary-oci-entrypointpkg:apk/wolfi/kubeflow-jupyter-web-apppkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/kubeflow-volumes-web-apppkg:apk/wolfi/mlflowpkg:apk/wolfi/mlflow-bitnamipkg:apk/wolfi/mlflow-iamguarded-compatpkg:apk/wolfi/py3.10-ambassadorpkg:apk/wolfi/py3.10-werkzeugpkg:apk/wolfi/py3.11-ambassadorpkg:apk/wolfi/py3.11-werkzeugpkg:apk/wolfi/py3.12-ambassadorpkg:apk/wolfi/py3.12-werkzeugpkg:apk/wolfi/py3.13-ambassadorpkg:apk/wolfi/py3.13-werkzeugpkg:apk/wolfi/py3-supported-werkzeugpkg:apk/wolfi/py3-werkzeugpkg:apk/wolfi/supersetpkg:apk/wolfi/superset-cipkg:apk/wolfi/superset-entrypointpkg:apk/wolfi/superset-iamguarded-compatpkg:rpm/opensuse/python-Werkzeug&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Werkzeug&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-Werkzeug&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Werkzeug&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-Werkzeug&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6
< 2.11.1-r0+ 58 more
- (no CPE)range: < 2.11.1-r0
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 2.11.1-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 2.4.0-r0
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 2.4.0-r0
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 2.21.0-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.9.1-r4
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 4.0.2-r6
- (no CPE)range: < 2.3.6-150400.6.12.1
- (no CPE)range: < 2.3.6-150400.6.12.1
- (no CPE)range: < 3.0.6-1.1
- (no CPE)range: < 2.3.6-150400.6.12.1
- (no CPE)range: < 2.3.6-150400.6.12.1
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-q34m-jh98-gwm2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-49767ghsaADVISORY
- github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644eeghsax_refsource_MISCWEB
- github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51fghsax_refsource_MISCWEB
- github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179bghsax_refsource_MISCWEB
- github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5ghsaWEB
- github.com/pallets/werkzeug/releases/tag/3.0.6ghsax_refsource_MISCWEB
- github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20250103-0007ghsaWEB
News mentions
0No linked articles in our index yet.