HIGH 7.5
PYSEC-2026-1860
Werkzeug possible resource exhaustion when parsing file data in forms
Details
Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.
The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-49767 [ADVISORY]
- https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee [WEB]
- https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f [WEB]
- https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b [WEB]
- https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5 [WEB]
- https://github.com/pallets/werkzeug [PACKAGE]
- https://github.com/pallets/werkzeug/releases/tag/3.0.6 [WEB]
- https://security.netapp.com/advisory/ntap-20250103-0007 [WEB]
- https://pypi.org/project/quart [PACKAGE]
- https://github.com/advisories/GHSA-q34m-jh98-gwm2 [ADVISORY]