CVE-2023-46136

Name of the Vulnerable Software and Affected Versions Werkzeug versions prior to 3.0.1

Description The issue is related to the parsing of multipart data in the Werkzeug library. If a file upload starts with CR or LF and is followed by a large amount of data without these characters, the library appends all these bytes chunk by chunk into an internal bytearray and performs a lookup for the boundary in the growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it, potentially blocking worker processes from handling legitimate requests due to the amount of CPU time required. Additionally, the amount of RAM required can trigger an out of memory kill of the process, and if many concurrent requests are sent continuously, this can exhaust or kill all available workers.

Recommendations For versions prior to 3.0.1, update to version 3.0.1 to resolve the issue. As a temporary workaround, consider restricting the upload of files that start with CR or LF to minimize the risk of exploitation. Avoid using the multipart data parser with untrusted input until the issue is resolved.