CVE-2024-49767: 
Python vulnerability analysis and mitigation

Werkzeug, a Web Server Gateway Interface web application library, was found to contain a vulnerability (CVE-2024-49767) affecting versions prior to 3.0.6. The vulnerability was discovered and disclosed in October 2024, affecting applications using werkzeug.formparser.MultiPartParser to parse multipart/form-data requests, including all Flask applications (GitHub Advisory).

The vulnerability allows for a resource exhaustion (denial of service) attack through a specifically crafted form submission request. The parser can be made to allocate and block 3 to 8 times the upload size in main memory, with no upper limit. For example, a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

Successful exploitation of this vulnerability could lead to Denial of Service (DoS) through resource exhaustion. The attack can cause significant memory allocation, potentially leading to system instability or unavailability. There is no impact on confidentiality or integrity of the system (GitHub Advisory, NetApp Advisory).

The vulnerability has been fixed in Werkzeug version 3.0.6. Users should upgrade to this version or later to address the issue. The fix involves properly applying maxformmemory_size when parsing large non-file fields (GitHub Release).