Resource Exhaustion Affecting airflow-2-compat package, versions <2.11.2-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
1.09% (62nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-AIRFLOW2COMPAT-14039061
  • published18 Nov 2025
  • disclosed25 Oct 2024

Introduced: 25 Oct 2024

CVE-2024-49767  (opens in a new tab)
CWE-400  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade Minimos:latest airflow-2-compat to version 2.11.2-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream airflow-2-compat package and not the airflow-2-compat package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Werkzeug is a Web Server Gateway Interface web application library. Applications using werkzeug.formparser.MultiPartParser corresponding to a version of Werkzeug prior to 3.0.6 to parse multipart/form-data requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.

CVSS Base Scores

version 3.1