CVE-2023-25577

Name of the Vulnerable Software and Affected Versions Werkzeug versions prior to 2.2.3

Description The issue is related to the multipart form data parser in Werkzeug, which can parse an unlimited number of parts, including file parts. This can cause unexpectedly high resource usage if a request is made to an endpoint that accesses request.data, request.form, request.files, or request.get data(parse form data=False). An attacker can exploit this to cause a denial of service by sending crafted multipart data to an endpoint that will parse it, potentially blocking worker processes from handling legitimate requests, triggering an out of memory kill of the process, or exhausting available workers.

Recommendations For versions prior to 2.2.3, update to version 2.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to endpoints that parse multipart form data to minimize the risk of exploitation. Avoid using the request.data, request.form, request.files, or request.get data(parse form data=False) variables in affected API endpoints until the issue is resolved.