CVE-2024-49767: Werkzeug possible resource exhaustion when parsing file data in forms

Published Oct 25, 2024
·
Updated

Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting. The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

Affected Software

9 affected componentsFixes available
debian/python-werkzeug<=1.0.1+dfsg1-2+deb11u1, <=2.2.2-3, <=3.0.4-1
debian/quart<=0.14.1-1, <=0.18.3-2, <=0.19.6-1
pip/Quart<0.20.0
0.20.0
pip/werkzeug<=3.0.5
3.0.6
palletsprojects Quart Python<0.19.7
palletsprojects Werkzeug<3.0.6
IBM Storage Defender - Resiliency Service<=2.0.0 - 2.0.9
Microsoft azl3 python-werkzeug 3.0.3-2
Patch available
Microsoft cbl2 python-werkzeug 2.3.7-3
Patch available

Remediation

Patch Available

https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee

Patch Available

https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b

Event History

Oct 25, 2024
CVE Published
via MITRE·07:41 PM
Data Sourced
via MITRE·07:41 PM
DescriptionWeakness
Advisory Published
via GitHub·07:44 PM
Nov 9, 2024
Data Sourced
via Ubuntu·11:51 PM
RemedyDescriptionSeverityAffected Software
Dec 7, 2024
Data Sourced
via Microsoft·08:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·08:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
DescriptionSeverity
Dec 18, 2024
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Apr 26, 58354
Event
via NVD·08:14 PM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-49767?

CVE-2024-49767 is classified as a moderate severity vulnerability due to potential resource exhaustion.

2

How do I fix CVE-2024-49767?

To address CVE-2024-49767, upgrade to Quart version 0.20.0 or Werkzeug version 3.0.6 or later.

3

What applications are affected by CVE-2024-49767?

CVE-2024-49767 affects applications that use Werkzeug and Quart versions up to specific thresholds as noted in the affected software list.

4

Can CVE-2024-49767 impact my application's performance?

Yes, exploited properly, CVE-2024-49767 can lead to significant performance degradation or denial of service due to resource exhaustion.

5

Is my deployment at risk with CVE-2024-49767?

If you are using affected versions of Werkzeug or Quart, your deployment could be at risk for CVE-2024-49767 if proper mitigations are not in place.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203