CVE-2023-25577: Werkzeug may allow high resource usage when parsing multipart form data with many fields
First published: Tue Feb 14 2023(Updated: )
A flaw was found in python-werkzeug. Werkzeug is multipart form data parser, that will parse an unlimited number of parts, including file parts. These parts can be a small amount of bytes, but each requires CPU time to parse, and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage, allowing an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests, and if many concurrent requests are sent continuously, this can exhaust or kill all available workers.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Werkzeug | <2.2.3 | 2.2.3 |
| Palletsprojects Werkzeug | <2.2.3 | |
| redhat/python-werkzeug | <0:2.0.3-5.el8 | 0:2.0.3-5.el8 |
| redhat/python-werkzeug | <0:2.0.3-4.el9 | 0:2.0.3-4.el9 |
| redhat/python-werkzeug | <0:1.0.1-3.el8 | 0:1.0.1-3.el8 |
| redhat/python-werkzeug | <0:0.14.1-3.1.el7 | 0:0.14.1-3.1.el7 |
| redhat/python-werkzeug | <0:0.14.1-12.el8 | 0:0.14.1-12.el8 |
| redhat/python-werkzeug | <0:2.0.1-5.el9 | 0:2.0.1-5.el9 |
| debian/python-werkzeug | <=0.14.1+dfsg1-4+deb10u1 | 0.14.1+dfsg1-4+deb10u2 1.0.1+dfsg1-2+deb11u1 2.2.2-3 |
| redhat/python-werkzeug | <2.2.3 | 2.2.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
- https://nvd.nist.gov/vuln/detail/CVE-2023-25577
- https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
- https://github.com/pallets/werkzeug/releases/tag/2.2.3
- https://www.debian.org/security/2023/dsa-5470
- https://security.netapp.com/advisory/ntap-20230818-0003/
- https://github.com/advisories/GHSA-xg9f-g7g7-2323 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2023-25577 https://nvd.nist.gov/vuln/detail/CVE-2023-25577 https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1 https://github.com/pallets/werkzeug/releases/tag/2.2.3 https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
- https://bugzilla.redhat.com/show_bug.cgi?id=2170242
- https://access.redhat.com/errata/RHBA-2023:1759
- https://access.redhat.com/errata/RHBA-2023:1507
- https://access.redhat.com/errata/RHSA-2023:1325
- https://access.redhat.com/errata/RHSA-2023:1281
- https://access.redhat.com/errata/RHSA-2023:1018
- https://access.redhat.com/security/cve/cve-2023-25577
- https://github.com/pallets/werkzeug/commit/fe899d0cdf767a7289a8bf746b7f72c2907a1b4b
- https://github.com/pallets/werkzeug/commit/09449ee77934a0c883f5959785864ecae6aaa2c9
- https://github.com/pallets/werkzeug/commit/babc8d9e8c9fa995ef26050698bc9b5a92803664
- https://security-tracker.debian.org/tracker/CVE-2023-25577
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170248
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170250
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170261
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170244
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170262
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170264
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170253
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170255
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170256
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170259
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170266
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170246
- https://access.redhat.com/errata/RHSA-2023:7473
- https://access.redhat.com/errata/RHSA-2023:7341
- https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-58.yaml
- https://security.netapp.com/advisory/ntap-20230818-0003
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-25577?
CVE-2023-25577 is a vulnerability found in python-werkzeug, a multipart form data parser that can parse an unlimited number of parts, including file parts, which can consume CPU time and memory.
What is the severity of CVE-2023-25577?
CVE-2023-25577 has a severity rating of 7.5 (high).
How does CVE-2023-25577 affect software?
CVE-2023-25577 affects versions of python-werkzeug up to and including 2.2.3.
How can I fix CVE-2023-25577?
To fix CVE-2023-25577, upgrade python-werkzeug to version 2.2.3 or apply the appropriate security patch provided by your vendor.
Where can I find more information about CVE-2023-25577?
You can find more information about CVE-2023-25577 on the CVE website, NVD, and the GitHub repositories for python-werkzeug.
- collector/github-advisory
- alias/GHSA-xg9f-g7g7-2323
- alias/CVE-2023-25577
- collector/nvd-api
- collector/redhat-cve
- collector/nvd-index
- collector/security-tracker-debian
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- agent/description
- collector/github-advisory-latest
- source/GitHub
- agent/references
- agent/last-modified-date
- agent/tags
- collector/nvd-cve
- source/NVD
- package-manager/pip
- vendor/palletsprojects
- canonical/palletsprojects werkzeug
- package-manager/redhat
- package-manager/debian