CVE-2023-25577
Denial of Service vulnerability in werkzeug (PyPI)
What is CVE-2023-25577 About?
Werkzeug versions before 2.2.3 are vulnerable to Denial of Service due to unlimited parsing of multipart form data. Attackers can send crafted multipart requests that exhaust CPU or memory, causing worker processes to crash and rendering the application unavailable. Exploitation is typically remote and relies on the application processing form data.
Affected Software
- werkzeug
- <517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
- <2.2.3
Technical Details
The vulnerability in Werkzeug versions prior to 2.2.3 resides within its multipart form data parser. The parser is designed to handle an unlimited number of parts, including file parts, within a multipart request. While individual parts can be small in terms of raw bytes, each part demands CPU time for parsing and can potentially consume a significant amount of memory when converted into Python data structures. An attacker can craft a malicious multipart request containing an extremely large number of parts, or very large file parts. When an endpoint accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), the parser attempts to process this oversized input, leading to unexpectedly high resource usage. This excessive consumption of CPU and/or RAM can lead to worker processes being blocked, becoming unresponsive, or being terminated by the operating system (out-of-memory kill), thus causing a Denial of Service. Concurrent attacks can exhaust all available workers.
What is the Impact of CVE-2023-25577?
Successful exploitation may allow attackers to exhaust system resources, leading to the unavailability of web applications, crashing worker processes, and causing a complete denial of service.
What is the Exploitability of CVE-2023-25577?
Exploitation requires sending specially crafted multipart data to an endpoint that processes request.data, request.form, request.files, or request.get_data(parse_form_data=False). The complexity is moderate, involving the creation of a multipart request with an excessive number of parts or data. There are typically no authentication requirements if the target endpoint is publicly accessible and accepts form data. This is a remote exploitation scenario. The special condition is that the application must be designed to parse multipart form data from user input without proper limits. Risk factors are high for any web application built with vulnerable Werkzeug versions that processes file uploads or complex form submissions from untrusted sources, particularly if it's internet-facing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-25577?
About the Fix from Resolved Security
Available Upgrade Options
- werkzeug
- <517cac5a804e8c4dc4ed038bb20dacd038e7a9f1 → Upgrade to 517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
- werkzeug
- <2.2.3 → Upgrade to 2.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.debian.org/security/2023/dsa-5470
- https://security.netapp.com/advisory/ntap-20230818-0003
- https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
- https://github.com/pallets/werkzeug/releases/tag/2.2.3
- https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
- https://osv.dev/vulnerability/PYSEC-2023-58
- https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
- https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
- https://www.debian.org/security/2023/dsa-5470
- https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-58.yaml
What are Similar Vulnerabilities to CVE-2023-25577?
Similar Vulnerabilities: CVE-2023-45588 , CVE-2023-32001 , CVE-2023-29471 , CVE-2023-27329 , CVE-2023-36665
