CVE-2024-49767

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-49767
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49767.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-49767
Aliases
Downstream
Related
Published
2024-10-25T19:41:35.029Z
Modified
2026-06-18T03:56:14.727371493Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Werkzeug possible resource exhaustion when parsing file data in forms
Details

Werkzeug is a Web Server Gateway Interface web application library. Applications using werkzeug.formparser.MultiPartParser corresponding to a version of Werkzeug prior to 3.0.6 to parse multipart/form-data requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49767.json"
}
References

Affected packages

Git / github.com/pallets/quart

Affected ranges

Type
GIT
Repo
https://github.com/pallets/quart
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0c91e8e5cd35eb0b8629672627decd528f1f2bbf
Fixed
5e78c4169b8eb66b91ead3e62d44721b9e1644ee
Fixed
abb04a512496206de279225340ed022852fbf51f
Database specific 
{
    "cpe": "cpe:2.3:a:palletsprojects:quart:*:*:*:*:*:python:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.19.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/pallets/werkzeug
Events
Introduced
22bfb446a7c1865b6e8edff08c18a1ffbe587cb6
Fixed
5eaefc3996aa5cc8c5237d8b82f1b89eed6ea624
Database specific 
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "2.0.0rc1"
        },
        {
            "fixed": "3.0.6"
        }
    ]
}

Affected versions

0.*
0.1.0
0.10.0
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.12.0
0.13.0
0.13.1
0.14.0
0.14.1
0.15.0
0.15.1
0.16.0
0.16.2
0.17.0
0.18.0
0.18.1
0.18.2
0.18.3
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.2.0
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.7.0
0.7.1
0.8.0
0.8.1
0.9.0
0.9.1
2.*
2.0.0
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.1.0
2.2.0
2.2.0a1
3.*
3.0.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49767.json"