CVE-2023-25577 – CVE-2023-25577 is a denial-of-service vulnerabi... (How to Fix)

📋 TL;DR

CVE-2023-25577 is a denial-of-service vulnerability in Werkzeug's multipart form data parser that allows attackers to cause high CPU and memory consumption by sending crafted requests with unlimited parts. This affects any web application using vulnerable Werkzeug versions that parse multipart form data via request.data, request.form, request.files, or related methods. The vulnerability can exhaust system resources and block legitimate requests.

💻 Affected Systems

Products:

Werkzeug

Versions: All versions prior to 2.2.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects endpoints that parse multipart form data. Applications not using Werkzeug's multipart parsing are not vulnerable.

📦 What is this software?

Werkzeug by Palletsprojects

View all CVEs affecting Werkzeug →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with worker processes killed due to out-of-memory conditions, potentially requiring manual intervention to restore service.

🟠

Likely Case

Degraded performance with increased response times and potential service interruptions during attack periods.

🟢

If Mitigated

Minimal impact with proper rate limiting, request size limits, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted multipart requests to vulnerable endpoints. No authentication needed if endpoint is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.3

Vendor Advisory: https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Restart Required: Yes

Instructions:

1. Update Werkzeug: pip install --upgrade werkzeug==2.2.3
2. Restart your application server
3. Verify the update with: pip show werkzeug

🔧 Temporary Workarounds

Implement request size limits

all

Configure web server or application to limit multipart request size

# For nginx: client_max_body_size 10M;
# For Apache: LimitRequestBody 10485760

Rate limiting

all

Implement rate limiting on endpoints that parse multipart data

# Example with Flask-Limiter: @limiter.limit("100/hour")

🧯 If You Can't Patch

Implement WAF rules to block or limit multipart requests with excessive parts
Monitor for abnormal request patterns and implement automated blocking

🔍 How to Verify

Check if Vulnerable:

Check Werkzeug version: pip show werkzeug | grep Version

Check Version:

pip show werkzeug | grep Version

Verify Fix Applied:

Confirm version is 2.2.3 or higher: pip show werkzeug | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusually large number of multipart requests
High CPU/memory usage spikes
Out-of-memory errors in application logs

Network Indicators:

Multiple POST requests with Content-Type: multipart/form-data
Requests with abnormally large payloads

SIEM Query:

source=web_logs method=POST content_type="multipart/form-data" | stats count by src_ip | where count > threshold

📊 Metadata

CVE ID: CVE-2023-25577

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 14, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25577, you might also want to check these: