CVE-2024-49767 in Werkzeug
Summary
by MITRE • 10/25/2024
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/06/2024
The vulnerability identified as CVE-2024-49767 affects Werkzeug, a fundamental web application library that serves as the Web Server Gateway Interface implementation for Python web frameworks including Flask. This issue specifically targets the MultiPartParser component responsible for processing multipart/form-data requests commonly used for file uploads in web applications. The flaw exists in versions prior to 3.0.6 and represents a critical resource exhaustion vulnerability that can be exploited to perform denial of service attacks against affected applications. The vulnerability stems from inadequate memory management within the parser's handling of multipart data structures, creating a scenario where maliciously crafted requests can trigger excessive memory allocation patterns.
The technical implementation of this vulnerability involves the MultiPartParser's failure to enforce reasonable limits on memory consumption during multipart form data processing. When processing specially crafted requests, the parser allocates memory proportional to the upload size but without proper upper bounds, leading to exponential memory growth. This behavior allows attackers to consume massive amounts of RAM by submitting relatively small requests, with the memory consumption scaling between 3 to 8 times the actual upload size. The vulnerability operates at the application layer and requires no authentication or specialized privileges to exploit, making it particularly dangerous in production environments where resource constraints are already tight. The memory allocation pattern creates a predictable consumption rate where a single 1 gigabit per second upload can consume up to 32 gigabytes of RAM within 60 seconds, effectively exhausting system resources and causing service disruption.
The operational impact of CVE-2024-49767 extends beyond simple service disruption to encompass potential system instability and resource exhaustion across entire application stacks. Affected applications including Flask-based web services become vulnerable to attacks that can rapidly consume all available memory, leading to process termination, system slowdowns, or complete system crashes. This vulnerability affects not just individual applications but entire infrastructure components that rely on Werkzeug's multipart parsing capabilities, including web servers, reverse proxies, and load balancers that may be processing these requests. The exponential memory consumption pattern makes this attack particularly effective against systems with limited memory resources, potentially affecting multiple concurrent users or applications running on the same host. The vulnerability's exploitation can occur through simple HTTP POST requests with crafted multipart content, making it accessible to attackers with minimal technical expertise and potentially automated through botnets or scanning tools.
The mitigation strategy for CVE-2024-49767 centers on upgrading to Werkzeug version 3.0.6 or later, which implements proper memory limits and bounds checking within the MultiPartParser component. Organizations should prioritize updating their application dependencies and conducting thorough testing to ensure compatibility with the patched version. Additional mitigations include implementing request size limits at the web server level, configuring application-level upload size restrictions, and deploying monitoring systems to detect unusual memory consumption patterns. Network-level protections such as rate limiting and connection tracking can help reduce the impact of attacks by limiting the number of concurrent requests that can be processed. Security teams should also consider implementing intrusion detection systems that can identify patterns consistent with this vulnerability's exploitation, particularly monitoring for unusual memory allocation behavior in web application processes. This vulnerability aligns with CWE-400, which covers resource exhaustion issues, and represents a specific implementation weakness that could be categorized under ATT&CK technique T1499.004 for resource exhaustion attacks targeting application availability. Organizations should also review their application architecture to ensure proper isolation between different application components and implement appropriate memory monitoring and alerting mechanisms to detect potential exploitation attempts.