CVE-2024-49767
Severity CVSS v4.0:
MEDIUM
Type:
CWE-400
Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
25/10/2024
Last modified:
03/01/2025
Description
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:palletsprojects:quart:*:*:*:*:*:python:*:* | 0.19.7 (excluding) | |
| cpe:2.3:a:palletsprojects:werkzeug:*:*:*:*:*:*:*:* | 3.0.6 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee
- https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f
- https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b
- https://github.com/pallets/werkzeug/releases/tag/3.0.6
- https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
- https://security.netapp.com/advisory/ntap-20250103-0007/