HIGH 7.5
PYSEC-2026-1860
Werkzeug possible resource exhaustion when parsing file data in forms
상세
Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.
The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-49767 [ADVISORY]
- https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee [WEB]
- https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f [WEB]
- https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b [WEB]
- https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5 [WEB]
- https://github.com/pallets/werkzeug [PACKAGE]
- https://github.com/pallets/werkzeug/releases/tag/3.0.6 [WEB]
- https://security.netapp.com/advisory/ntap-20250103-0007 [WEB]
- https://pypi.org/project/quart [PACKAGE]
- https://github.com/advisories/GHSA-q34m-jh98-gwm2 [ADVISORY]