VDB
KO
HIGH 7.5

PYSEC-2026-1860

Werkzeug possible resource exhaustion when parsing file data in forms

Details

Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.

The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / quart
Introduced in: 0 Fixed in: 0.20.0
Fix pip install --upgrade 'quart>=0.20.0'

References