DescriptionWerkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses ``, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3346-1, DSA-5470-1
Debian Bugs1031370

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-werkzeug (PTS)buster0.14.1+dfsg1-4+deb10u1vulnerable
buster (security)0.14.1+dfsg1-4+deb10u2fixed
bullseye (security)1.0.1+dfsg1-2+deb11u1fixed
sid, trixie, bookworm2.2.2-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (2.2.3) (2.2.3) (2.2.3)

Search for package or bug name: Reporting problems