CVE-2023-46136
published 2023-10-25CVE-2023-46136: Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.07%
60.7th percentile
Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1 and 2.3.8.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-werkzeug | < python-werkzeug 2.2.2-3+deb12u1 (bookworm) | python-werkzeug 2.2.2-3+deb12u1 (bookworm) |
| msrc | azl3_python-werkzeug_2.2.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-werkzeug_3.0.1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_python-werkzeug_2.3.7-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| pallets | werkzeug | — | — |
| pallets | werkzeug | — | — |
| palletsprojects | werkzeug | < 2.3.8 | 2.3.8 |
| palletsprojects | werkzeug | — | — |
| palletsprojects | werkzeug | >= 0 < 2.3.8 | 2.3.8 |
| palletsprojects | werkzeug | >= 3.0.0 < 3.0.1 | 3.0.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian8.0HIGH
vendor_msrc8.0HIGH
vendor_redhat8.0HIGH
vendor_oracle7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Pallets Werkzeug up to 3.0.0 Multipart denial of service (GHSA-hrfv-mqp8-q5rw)
vuldb·2026-05-21·CVSS 7.5
CVE-2023-46136 [HIGH] Pallets Werkzeug up to 3.0.0 Multipart denial of service (GHSA-hrfv-mqp8-q5rw)
A vulnerability was found in Pallets Werkzeug up to 3.0.0. It has been rated as problematic. The affected element is an unknown function of the component Multipart Handler. This manipulation causes denial of service.
This vulnerability is handled as CVE-2023-46136. The attack can only be done within the local network. There is not any exploit available.
Upgrading the affected component is advised.
OSV
CVE-2023-46136: Werkzeug is a comprehensive WSGI web application library
osv·2023-10-25·CVSS 7.5
CVE-2023-46136 [HIGH] CVE-2023-46136: Werkzeug is a comprehensive WSGI web application library
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
GHSA
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
ghsa·2023-10-25
CVE-2023-46136 [MEDIUM] CWE-400 Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker proces
OSV
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
osv·2023-10-25
CVE-2023-46136 [MEDIUM] Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker proces
Oracle
Oracle Oracle Communications Risk Matrix: ATS Framework (Werkzeug) — CVE-2023-46136
vendor_oracle·2024-10-15·CVSS 7.5
CVE-2023-46136 [HIGH] Oracle Oracle Communications Risk Matrix: ATS Framework (Werkzeug) — CVE-2023-46136
Oracle Oracle Communications Risk Matrix: ATS Framework (Werkzeug) vulnerability
CVE: CVE-2023-46136
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
Red Hat
python-werkzeug: high resource consumption leading to denial of service
vendor_redhat·2023-10-25·CVSS 8.0
CVE-2023-46136 [HIGH] CWE-407 python-werkzeug: high resource consumption leading to denial of service
python-werkzeug: high resource consumption leading to denial of service
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
A resource consumption flaw was found in python-werkzeug. If a specially crafted file is uploaded by a remote attacker, it may cause a denial of service.
Microsoft
Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
vendor_msrc·2023-10-10·CVSS 8.0
CVE-2023-46136 [HIGH] CWE-787 Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Cu
Debian
CVE-2023-46136: python-werkzeug - Werkzeug is a comprehensive WSGI web application library. If an upload of a file...
vendor_debian·2023·CVSS 8.0
CVE-2023-46136 [HIGH] CVE-2023-46136: python-werkzeug - Werkzeug is a comprehensive WSGI web application library. If an upload of a file...
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
Scope: local
bookworm: resolved (fixed in 2.2.2-3+deb12u1)
bullseye: resolved
forky: resolved (fixed in 3.0.1-2)
sid: resolved (fixed in 3.0.1-2)
trixie: resolved (fixed in 3.0.1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rwhttps://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rwhttps://security.netapp.com/advisory/ntap-20231124-0008/
2023-10-25
Published