CVE-2024-49767Uncontrolled Resource Consumption in Werkzeug

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling12 documents9 sources
Severity
6.9MEDIUMNVD
EPSS
1.1%
top 22.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Pallets WerkzeugPalletsprojects QuartPalletsprojects Werkzeug
Timeline
PublishedOct 25
Latest updateJul 15

Description

Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no uppe

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages4 packages

CVEListV5pallets/werkzeug< 3.0.6
NVDpalletsprojects/quart< 0.19.7

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Werkzeug possible resource exhaustion when parsing file data in forms2024-10-25
OSV
Werkzeug possible resource exhaustion when parsing file data in forms2024-10-25
CVEList
Werkzeug possible resource exhaustion when parsing file data in forms2024-10-25
OSV
CVE-2024-49767: Werkzeug is a Web Server Gateway Interface web application library2024-10-25

📋Vendor Advisories

7
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Quart) — CVE-2024-497672025-07-15
Oracle
Oracle Oracle Communications Risk Matrix: Signaling (Werkzeug) — CVE-2024-497672025-04-15
Oracle
Oracle Oracle Communications Risk Matrix: ATS Framework (Werkzeug) — CVE-2024-497672025-01-15
Ubuntu
Werkzeug vulnerability2024-11-05
Red Hat
werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms2024-10-25
CVE-2024-49767 — Uncontrolled Resource Consumption | cvebase