Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-49767

UNKNOWN
Published 2024-10-25T19:41:35.029Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-49767. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

pallets

werkzeug

Affected Versions:

< 3.0.6
palletsprojects

werkzeug

Affected Versions:

0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Werkzeug possible resource exhaustion when parsing file data in forms

GHSA-q34m-jh98-gwm2

Advisory Details

Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting. The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

Affected Packages

PyPI Werkzeug
ECOSYSTEM: ≥0 <3.0.6
PyPI Quart
ECOSYSTEM: ≥0 <0.20.0

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

WEB https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-49767
WEB https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee
WEB https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f
WEB https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b
PACKAGE https://github.com/pallets/werkzeug
WEB https://github.com/pallets/werkzeug/releases/tag/3.0.6
WEB https://security.netapp.com/advisory/ntap-20250103-0007

Advisory provided by GitHub Security Advisory Database. Published: October 25, 2024, Modified: January 3, 2025

References

https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee
https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f
https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b
https://github.com/pallets/werkzeug/releases/tag/3.0.6
Published: 2024-10-25T19:41:35.029Z
Last Modified: 2025-01-03T12:04:27.829Z
Copied to clipboard!