CVE-2024-49767
Werkzeug possible resource exhaustion when parsing file data in forms
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Werkzeug possible resource exhaustion when parsing file data in forms
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Reserved 2024-10-18 | Published 2024-10-25 | Updated 2024-12-27 | Assigner GitHub_MCWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling
github.com/...rkzeug/security/advisories/GHSA-q34m-jh98-gwm2
github.com/...ommit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee
github.com/...ommit/abb04a512496206de279225340ed022852fbf51f
github.com/...ommit/50cfeebcb0727e18cc52ffbeb125f4a66551179b
github.com/pallets/werkzeug/releases/tag/3.0.6
Support options
