Werkzeug may allow high resource usage when parsing multipart form data with many fields
CVE-2023-25577

7.5HIGH

Key Information:

Vendor: Pallets
Status: Werkzeug
Vendor: CVE Published:; 14 February 2023

What is CVE-2023-25577?

The Werkzeug library, a widely-used WSGI web application framework, suffers from a vulnerability in its multipart form data parser, which can lead to substantial resource consumption. Versions prior to 2.2.3 allow an attacker to send specially crafted multipart data to an endpoint that processes request.data, request.form, or request.files. By doing so, malicious actors can exploit the unlimited parsing of multipart parts, causing excessive CPU usage and potentially exhausting memory resources. This could lead to denial of service conditions, where legitimate requests cannot be processed efficiently, or even result in worker processes being killed due to out of memory errors. Users are strongly encouraged to upgrade to version 2.2.3 or later to mitigate the risk associated with this vulnerability.

Affected Version(s)

werkzeug < 2.2.3

References

https://github.com/pallets/werkzeug/security/advisories/G...

x_refsource_CONFIRM

https://github.com/pallets/werkzeug/commit/517cac5a804e8c...

x_refsource_MISC

https://github.com/pallets/werkzeug/releases/tag/2.2.3

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 14, 2023
Vulnerability Reserved
Feb 7, 2023

Pallets

What is CVE-2023-25577?

Affected Version(s)

References

CVSS V3.1

Timeline