PyPI: werkzeug

CVE-2023-46136

Safety vulnerability ID: SFTY-20231025-16698

Safety legacy ID: pyup.io-71595

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests.

PythonPyPINVDNVDGitHubGHSA
Created at: Nov 5, 2025Updated at: Nov 5, 2025

Overview

Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning

Advisory

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests.

Affected Package

Affecting werkzeug package, versions
<=2.3.7
>=3.0.0,<3.0.1

Also affects

---

How to Fix

Upgrade
werkzeug
to
2.3.8
3.0.1
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more