<p>Upgrade <code>werkzeug</code> to version 2.3.8, 3.0.1 or higher.</p>

Inefficient Algorithmic Complexity Affecting werkzeug package, versions [,2.3.8) [3.0.0,3.0.1)

Threat Intelligence

0.09% (41^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-WERKZEUG-6035177
published 26 Oct 2023
disclosed 25 Oct 2023
credit Paweł Srokosz

Report a new vulnerability Found a mistake?

Introduced: 25 Oct 2023

CVE-2023-46136 Open this link in a new tab CWE-407 Open this link in a new tab

How to fix?

Upgrade werkzeug to version 2.3.8, 3.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.

Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Adjacent
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

None
Integrity (I)

None
Availability (A)

High

Inefficient Algorithmic Complexity Affecting werkzeug package, versions [,2.3.8) [3.0.0,3.0.1)

Severity

CVSS assessment made by Snyk's Security Team

Threat Intelligence

Introduced: 25 Oct 2023

How to fix?

Overview

References

CVSS Scores

Snyk

NVD

SUSE

Red Hat