CVE-2024-49767

Werkzeug possible resource exhaustion when parsing file data in forms

Severity Score

6.9

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.

A flaw was found in the Werkzueg web application library. Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting and trigger a denial of service.

It was discovered that Werkzeug incorrectly handled multiple form submission requests. A remote attacker could possibly use this issue to cause Werkzeug to consume resources, leading to a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

None

Integrity

None

Availability

Low

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-18 CVE Reserved
2024-10-25 CVE Published
2025-01-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (7)

URL	Tag	Source
https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee	X_refsource_misc
https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b	X_refsource_misc
https://github.com/pallets/werkzeug/releases/tag/3.0.6	X_refsource_misc
https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2	X_refsource_confirm
https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-49767	2025-02-13
https://bugzilla.redhat.com/show_bug.cgi?id=2321829	2025-02-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pallets Search vendor "Pallets"		Werkzeug Search vendor "Pallets" for product "Werkzeug"				< 3.0.6 Search vendor "Pallets" for product "Werkzeug" and version " < 3.0.6"		en		Affected