CVE-2024-49767

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions: Werkzeug versions prior to 3.0.6

Description: Applications using werkzeug.formparser.MultiPartParser to parse multipart/form-data requests are vulnerable to a relatively simple but effective resource exhaustion attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.

Recommendations: For versions prior to 3.0.6, update to Werkzeug version 3.0.6 to fix the issue. As a temporary workaround, consider setting the Request.max form memory size to limit the resources used during a request. Additionally, consider setting the Request.max content length and resource limits provided by deployment software and platforms to limit the resources used during a request.

Exploit

Fix

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

ALT-PU-2024-15281

ALT-PU-2025-2662

AZL-51690

AZL-51723

BDU:2025-06972

CVE-2024-49767

GHSA-Q34M-JH98-GWM2

MGASA-2024-0351

OESA-2025-1424

OESA-2025-1425

OESA-2025-1426

OPENSUSE-SU-2024:14437-1

OPENSUSE-SU-2024_3810-1

SUSE-SU-2024:3810-1

USN-7093-1

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Red Os

Suse

Ubuntu

Werkzeug

CVE-2024-49767

Weakness Enumeration

Related Identifiers

Affected Products

References · 50