Werkzeug Web Server Gateway Interface Vulnerability: Denial of Service Attack via Maliciously Formatted Submission
CVE-2024-49767

7.5HIGH

Key Information:

Vendor: Pallets
Status: Werkzeug
Vendor: CVE Published:; 25 October 2024

What is CVE-2024-49767?

The vulnerability in Werkzeug affects applications utilizing the werkzeug.formparser.MultiPartParser for handling multipart/form-data requests. Specifically, versions of Werkzeug prior to 3.0.6 are susceptible to a resource exhaustion attack, where a maliciously crafted form submission can lead to significant memory allocation issues. This issue stems from the parser's ability to allocate memory resources that can be between three to eight times larger than the upload size, resulting in potential denial of service scenarios. A single upload at high speeds has the potential to exhaust substantial amounts of RAM, potentially crashing the application. The vulnerability is mitigated in Werkzeug version 3.0.6.

Affected Version(s)

werkzeug < 3.0.6

References

https://github.com/pallets/werkzeug/security/advisories/G...

x_refsource_CONFIRM

https://github.com/pallets/quart/commit/5e78c4169b8eb66b9...

x_refsource_MISC

https://github.com/pallets/werkzeug/commit/50cfeebcb0727e...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 25, 2024
Vulnerability Reserved
Oct 18, 2024

Pallets

What is CVE-2024-49767?

Affected Version(s)

References

CVSS V3.1

Timeline