CVE-2024-49767
published 2024-10-25CVE-2024-49767: Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.09%
61.3th percentile
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-werkzeug | < python-werkzeug 2.2.2-3+deb12u1 (bookworm) | python-werkzeug 2.2.2-3+deb12u1 (bookworm) |
| debian | quart | < python-werkzeug 2.2.2-3+deb12u1 (bookworm) | python-werkzeug 2.2.2-3+deb12u1 (bookworm) |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-werkzeug_3.0.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-werkzeug_2.3.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| pallets | quart | < 0.20.0 | 0.20.0 |
| pallets | werkzeug | — | — |
| palletsprojects | quart | < 0.19.7 | 0.19.7 |
| palletsprojects | quart | >= 0 < 0.19.9-1 | 0.19.9-1 |
| palletsprojects | quart | >= 0 < 0.19.9-1 | 0.19.9-1 |
| palletsprojects | quart | >= 0 < 0.20.0 | 0.20.0 |
| palletsprojects | werkzeug | < 3.0.6 | 3.0.6 |
| palletsprojects | werkzeug | >= 0 < 3.0.6 | 3.0.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_msrc7.5HIGH
vendor_oracle7.5MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Werkzeug possible resource exhaustion when parsing file data in forms
ghsa·2024-10-25
CVE-2024-49767 [MEDIUM] CWE-400 Werkzeug possible resource exhaustion when parsing file data in forms
Werkzeug possible resource exhaustion when parsing file data in forms
Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.
The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.
OSV
Werkzeug possible resource exhaustion when parsing file data in forms
osv·2024-10-25
CVE-2024-49767 [MEDIUM] Werkzeug possible resource exhaustion when parsing file data in forms
Werkzeug possible resource exhaustion when parsing file data in forms
Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.
The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.
OSV
CVE-2024-49767: Werkzeug is a Web Server Gateway Interface web application library
osv·2024-10-25·CVSS 6.9
CVE-2024-49767 [MEDIUM] CVE-2024-49767: Werkzeug is a Web Server Gateway Interface web application library
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Quart) — CVE-2024-49767
vendor_oracle·2025-07-15·CVSS 7.5
CVE-2024-49767 [MEDIUM] Oracle Oracle Communications Risk Matrix: Platform (Quart) — CVE-2024-49767
Oracle Oracle Communications Risk Matrix: Platform (Quart) vulnerability
CVE: CVE-2024-49767
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Oracle
Oracle Oracle Communications Risk Matrix: Signaling (Werkzeug) — CVE-2024-49767
vendor_oracle·2025-04-15·CVSS 7.5
CVE-2024-49767 [MEDIUM] Oracle Oracle Communications Risk Matrix: Signaling (Werkzeug) — CVE-2024-49767
Oracle Oracle Communications Risk Matrix: Signaling (Werkzeug) vulnerability
CVE: CVE-2024-49767
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2025 (APR 2025)
Oracle
Oracle Oracle Communications Risk Matrix: ATS Framework (Werkzeug) — CVE-2024-49767
vendor_oracle·2025-01-15·CVSS 7.5
CVE-2024-49767 [MEDIUM] Oracle Oracle Communications Risk Matrix: ATS Framework (Werkzeug) — CVE-2024-49767
Oracle Oracle Communications Risk Matrix: ATS Framework (Werkzeug) vulnerability
CVE: CVE-2024-49767
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2025 (JAN 2025)
Ubuntu
Werkzeug vulnerability
vendor_ubuntu·2024-11-05
CVE-2024-49767 Werkzeug vulnerability
Title: Werkzeug vulnerability
Summary: Werkzeug could be made to consume resources if it received specially
crafted network traffic.
It was discovered that Werkzeug incorrectly handled multiple form
submission requests. A remote attacker could possibly use this issue to
cause Werkzeug to consume resources, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms
vendor_redhat·2024-10-25·CVSS 6.9
CVE-2024-49767 [MEDIUM] CWE-770 werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms
werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
A flaw was found in the Werkzueg web application library. Applications us
Microsoft
Werkzeug possible resource exhaustion when parsing file data in forms
vendor_msrc·2024-10-08·CVSS 7.5
CVE-2024-49767 [MEDIUM] CWE-400 Werkzeug possible resource exhaustion when parsing file data in forms
Werkzeug possible resource exhaustion when parsing file data in forms
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Refe
Debian
CVE-2024-49767: python-werkzeug - Werkzeug is a Web Server Gateway Interface web application library. Applications...
vendor_debian·2024·CVSS 6.9
CVE-2024-49767 [MEDIUM] CVE-2024-49767: python-werkzeug - Werkzeug is a Web Server Gateway Interface web application library. Applications...
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Scope: local
bookworm: resolved (fixed in 2.2.2-3+deb12u1)
bullseye: resolved
forky: resolved (fixed in 3.1.3-2)
sid: resolved (fixed in 3.1.3-2)
trixie: resolved (fixed in
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644eehttps://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51fhttps://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179bhttps://github.com/pallets/werkzeug/releases/tag/3.0.6https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2https://security.netapp.com/advisory/ntap-20250103-0007/
2024-10-25
Published