CVE-2024-49767 – Werkzeug versions before 3.0.6 contain a resour... (How to Fix)

📋 TL;DR

Werkzeug versions before 3.0.6 contain a resource exhaustion vulnerability in the MultiPartParser that handles multipart/form-data requests. Attackers can craft malicious upload requests that cause the parser to allocate 3-8 times the upload size in memory, leading to denial of service through memory exhaustion. All Flask applications and other applications using vulnerable Werkzeug versions are affected.

💻 Affected Systems

Products:

Werkzeug
Flask
Quart
Any application using Werkzeug's MultiPartParser

Versions: All versions before 3.0.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application processing multipart/form-data requests with vulnerable Werkzeug versions is affected, regardless of framework.

📦 What is this software?

Quart by Palletsprojects

View all CVEs affecting Quart →

Werkzeug by Palletsprojects

View all CVEs affecting Werkzeug →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion, potentially affecting multiple servers in a cluster if load balancers distribute malicious requests.

🟠

Likely Case

Service degradation or temporary unavailability for affected endpoints, requiring restart of application processes.

🟢

If Mitigated

Minimal impact with proper rate limiting, request size limits, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is simple to exploit with crafted HTTP requests. Proof-of-concept code is available in the advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.6

Vendor Advisory: https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2

Restart Required: Yes

Instructions:

1. Update Werkzeug to version 3.0.6 or later using pip: pip install --upgrade werkzeug>=3.0.6
2. Restart all application processes using Werkzeug
3. Verify the update with: pip show werkzeug

🔧 Temporary Workarounds

Implement request size limits

all

Configure web server or application to limit maximum request body size

# For nginx: client_max_body_size 10m;
# For Apache: LimitRequestBody 10485760

Rate limit upload endpoints

all

Implement rate limiting on endpoints accepting file uploads

# Example using Flask-Limiter: @limiter.limit("10/minute")

🧯 If You Can't Patch

Deploy Web Application Firewall (WAF) rules to block suspicious multipart requests
Implement aggressive request timeout and connection limits at load balancer level

🔍 How to Verify

Check if Vulnerable:

Check Werkzeug version with: python -c "import werkzeug; print(werkzeug.__version__)" and verify it's < 3.0.6

Check Version:

python -c "import werkzeug; print('Werkzeug version:', werkzeug.__version__)"

Verify Fix Applied:

Confirm version is >= 3.0.6 and test file upload functionality remains operational

📡 Detection & Monitoring

Log Indicators:

Unusually large memory consumption spikes
Application crashes or restarts during file uploads
Slow response times on upload endpoints

Network Indicators:

Large multipart/form-data requests to upload endpoints
Multiple rapid upload requests from single IPs

SIEM Query:

source=application_logs ("multipart" OR "upload") AND ("memory" > threshold OR "crash" OR "restart")

📊 Metadata

CVE ID: CVE-2024-49767

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: October 25, 2024

Last Updated: January 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49767, you might also want to check these: