CVE-2023-46136
Denial of Service vulnerability in werkzeug (PyPI)

Denial of Service No known exploit Fixable By Resolved Security

What is CVE-2023-46136 About?

This vulnerability in Werkzeug's multipart data parser can lead to a denial of service (DoS). Inefficient parsing of crafted multipart data, especially files starting with CR or LF, can exhaust CPU and RAM. This is relatively easy to exploit with specifically constructed file uploads.

Affected Software

  • werkzeug
    • <2.3.8
    • >3.0.0, <3.0.1
    • <f3c803b3ade485a45f12b6d6617595350c0f03e2

Technical Details

The Werkzeug multipart data parser contains an inefficiency in how it processes boundaries, which can lead to a Denial of Service. When handling multipart data, particularly in file uploads, the parser looks for newline characters (CR or LF) to identify boundaries between chunks. If an attacker crafts a file upload that begins with CR or LF characters, followed by a large amount of data (megabytes) that does not contain these characters, the parsing mechanism becomes inefficient. All subsequent bytes are appended chunk by chunk into an internal byte array, and the boundary lookup is performed repeatedly on this continuously growing buffer. This quadratic complexity consumes excessive CPU time and RAM, leading to resource exhaustion, which can block worker processes, trigger out-of-memory kills, and ultimately cause a denial of service.

What is the Impact of CVE-2023-46136?

Successful exploitation may allow attackers to cause a denial of service, consuming excessive CPU and memory resources, leading to unresponsiveness or crashes of the server.

What is the Exploitability of CVE-2023-46136?

Exploitation is of low to moderate complexity, as it primarily involves sending a specially crafted multipart HTTP request with a malformed file upload. No authentication is necessarily required if the endpoint handling file uploads is publicly accessible. No elevated privileges are needed. This is a remote vulnerability, as the attacker sends the malicious data over HTTP. The primary risk factor is an application accepting multipart data from untrusted sources without adequate size limits or efficient parsing mechanisms. Continuous requests can exhaust all available workers, increasing the likelihood of a widespread DoS.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-46136?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch modifies multipart parsing logic to prevent excessive buffering by checking if the amount of data after the last newline significantly exceeds the possible length of a boundary; if so, it flushes all pending data instead of waiting for a potential boundary. This fixes CVE-2023-46136 by mitigating a denial-of-service risk, where an attacker could stream large chunks of data without newlines and cause the parser to repeatedly scan and buffer incoming data, exhausting CPU and memory resources.

Available Upgrade Options

  • werkzeug
    • >3.0.0, <3.0.1 → Upgrade to 3.0.1
  • werkzeug
    • <2.3.8 → Upgrade to 2.3.8
  • werkzeug
    • <f3c803b3ade485a45f12b6d6617595350c0f03e2 → Upgrade to f3c803b3ade485a45f12b6d6617595350c0f03e2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-46136?

Similar Vulnerabilities: CVE-2023-48631 , CVE-2023-45136 , CVE-2023-45137 , CVE-2023-49097 , CVE-2023-45803

All Rights reserved 2025
Privacy Policy