OESA-2025-1426

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1426
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-1426.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-1426
Upstream
Published
2025-04-18T13:49:33Z
Modified
2025-08-12T05:46:22.555672Z
Summary
python-werkzeug security update
Details

werkzeug German noun: "tool". Etymology: werk ("work"), zeug ("stuff") Werkzeug is a comprehensive WSGI_ web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. It includes: - An interactive debugger that allows inspecting stack traces and source code in the browser with an interactive interpreter for any frame in the stack. - A full-featured request object with objects to interact with headers, query args, form data, files, and cookies. - A response object that can wrap other WSGI applications and handle streaming data. - A routing system for matching URLs to endpoints and generating URLs for endpoints, with an extensible system for capturing variables from URLs. - HTTP utilities to handle entity tags, cache control, dates, user agents, cookies, files, and more. - A threaded WSGI server for use while developing applications locally. - A test client for simulating HTTP requests during testing without requiring running a server. Werkzeug doesn't enforce any dependencies. It is up to the developer to choose a template engine, database adapter, and even how to handle requests. It can be used to build all sorts of end user applications such as blogs, wikis, or bulletin boards. Flask_ wraps Werkzeug, using it to handle the details of WSGI while providing more structure and patterns for defining powerful applications.

Security Fix(es):

Werkzeug is a Web Server Gateway Interface web application library. Applications using werkzeug.formparser.MultiPartParser corresponding to a version of Werkzeug prior to 3.0.6 to parse multipart/form-data requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.(CVE-2024-49767)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:24.03-LTS / python-werkzeug

Package

Name
python-werkzeug
Purl
pkg:rpm/openEuler/python-werkzeug&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.3-3.oe2403

Ecosystem specific 

{
    "src": [
        "python-werkzeug-2.2.3-3.oe2403.src.rpm"
    ],
    "noarch": [
        "python-werkzeug-help-2.2.3-3.oe2403.noarch.rpm",
        "python3-werkzeug-2.2.3-3.oe2403.noarch.rpm"
    ]
}