Skip to main content

Werkzeug CVE-2023-46136

HIGH
Uncontrolled Resource Consumption (CWE-400)
2023-10-25 security-advisories@github.com
8.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 25, 2023 - 18:17 github-advisory
HIGH 8.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 pypi packages depend on werkzeug (16 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionGitHub Advisory

Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1 and 2.3.8.

AnalysisAI

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1 and 2.3.8. Affected products include: Palletsprojects Werkzeug. Version information: prior to 3.0.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

CVE-2024-34069 HIGH POC
7.5 May 06

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2019-14322 HIGH POC
7.5 Jul 28

In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. Rated

CVE-2020-28724 MEDIUM POC
6.1 Nov 18

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL. Rated medium severity (CVSS 6.1), t

CVE-2022-29361 CRITICAL
9.8 May 25

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smugglin

CVE-2023-25577 HIGH
7.5 Feb 14

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2019-14806 HIGH
7.5 Aug 09

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker container

CVE-2025-66221 MEDIUM
6.3 Nov 29

Werkzeug is a comprehensive WSGI web application library. Rated medium severity (CVSS 6.3), this vulnerability is remote

CVE-2024-49766 MEDIUM
6.3 Oct 25

Werkzeug is a Web Server Gateway Interface web application library. Rated medium severity (CVSS 6.3), this vulnerability

CVE-2016-10516 MEDIUM
6.1 Oct 23

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werk

CVE-2026-27199 MEDIUM
5.3 Feb 21

Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function whe

CVE-2026-21860 MEDIUM
5.3 Jan 08

Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allo

CVE-2023-23934 LOW
3.5 Feb 14

Werkzeug is a comprehensive WSGI web application library. Rated low severity (CVSS 3.5), this vulnerability is no authen

Share

CVE-2023-46136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy