CVE-2024-49767

UNKNOWN 0.0

Werkzeug possible resource exhaustion when parsing file data in forms

CVSS Score

0.0

EPSS Score

1.1%

EPSS Percentile

78th

Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.

CWE	CWE-400 CWE-770
Vendor	pallets
Product	werkzeug
Published	Oct 25, 2024
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for pallets werkzeug

Be the first to know when new unknown vulnerabilities affecting pallets werkzeug are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

pallets / werkzeug

>= 2.0.0rc1, < 3.0.6

pallets / Quart

< 0.20.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2 github.com: https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee github.com: https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f github.com: https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b github.com: https://github.com/pallets/werkzeug/releases/tag/3.0.6 security.netapp.com: https://security.netapp.com/advisory/ntap-20250103-0007/