CVE-2023-46136
📋 TL;DR
CVE-2023-46136 is a denial-of-service vulnerability in Werkzeug's multipart data parser. Attackers can send specially crafted file uploads that cause excessive CPU consumption, blocking worker processes from handling legitimate requests. This affects any application using vulnerable versions of Werkzeug to parse multipart/form-data.
💻 Affected Systems
- Werkzeug
📦 What is this software?
Werkzeug by Palletsprojects
Werkzeug by Palletsprojects
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability as worker processes become saturated with CPU-bound parsing tasks, preventing legitimate user requests from being processed.
Likely Case
Degraded application performance and intermittent service disruptions under attack, potentially leading to timeouts and failed requests.
If Mitigated
Minimal impact with proper rate limiting, request size limits, and updated software.
🎯 Exploit Status
Exploit requires sending crafted multipart data to vulnerable endpoints. Proof-of-concept details are publicly available in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.1
Vendor Advisory: https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
Restart Required: Yes
Instructions:
1. Update Werkzeug: pip install --upgrade werkzeug==3.0.1
2. Restart all Python processes using Werkzeug
3. Verify the update with: python -c "import werkzeug; print(werkzeug.__version__)"
🔧 Temporary Workarounds
Implement request size limits
allLimit maximum request body size to prevent large malicious uploads
# In Flask/Werkzeug configuration
app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024 # 16MB limit
Rate limit file upload endpoints
allImplement rate limiting on endpoints accepting multipart data
# Using Flask-Limiter or similar
from flask_limiter import Limiter
limiter = Limiter(app)
@app.route('/upload', methods=['POST'])
@limiter.limit("10 per minute")
🧯 If You Can't Patch
- Implement WAF rules to block requests with suspicious multipart boundary patterns
- Deploy reverse proxy with request inspection and size limiting before requests reach vulnerable application
🔍 How to Verify
Check if Vulnerable:
Check Werkzeug version: python -c "import werkzeug; print(werkzeug.__version__)" - if version is <3.0.1, system is vulnerable.Check Version:
python -c "import werkzeug; print(werkzeug.__version__)"Verify Fix Applied:
Verify version is 3.0.1 or higher: python -c "import werkzeug; print(werkzeug.__version__)"📡 Detection & Monitoring
Log Indicators:
- Unusually long request processing times for file uploads
- High CPU usage spikes on application servers
- Multiple failed requests due to timeouts
Network Indicators:
- Large POST requests to upload endpoints with unusual boundary patterns
- Sustained high-volume traffic to specific endpoints
SIEM Query:
source="web_server_logs" method="POST" uri_path="*upload*" duration_ms>10000 | stats count by src_ip🔗 References
- https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
- https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
- https://security.netapp.com/advisory/ntap-20231124-0008/
- https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
- https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
- https://security.netapp.com/advisory/ntap-20231124-0008/
