CVE-2023-46136 Overview
CVE-2023-46136 is a Denial of Service vulnerability affecting Werkzeug, the comprehensive WSGI web application library maintained by the Pallets Projects. The vulnerability exists in the multipart data parsing functionality, where specially crafted file uploads can cause excessive CPU consumption, potentially blocking worker processes from handling legitimate requests.
When an attacker uploads a file that starts with a Carriage Return (CR) or Line Feed (LF) character followed by megabytes of data without these characters, the parser appends all bytes chunk by chunk into an internal bytearray while performing boundary lookups on the growing buffer. This inefficient processing leads to resource exhaustion and service disruption.
Critical Impact
Attackers can cause denial of service by sending crafted multipart data to any endpoint that parses file uploads, blocking legitimate traffic and potentially taking down web applications built on Flask and other Werkzeug-based frameworks.
Affected Products
- Palletsprojects Werkzeug versions prior to 3.0.1
- Werkzeug version 3.0.0
- Applications built on Flask or other frameworks using vulnerable Werkzeug versions
Discovery Timeline
- 2023-10-24 - Pallets Projects releases security patch in version 3.0.1
- 2023-10-25 - CVE CVE-2023-46136 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-46136
Vulnerability Analysis
The vulnerability resides in Werkzeug's multipart form data parser, which handles file uploads in WSGI web applications. The parser processes incoming multipart data by reading chunks and searching for boundary markers that separate individual form fields and files.
When processing a file upload that begins with CR (\r) or LF (\n) characters followed by large amounts of data without these delimiter characters, the parser exhibits pathological behavior. Instead of efficiently processing the data stream, it continuously appends bytes to an internal bytearray buffer while repeatedly scanning the entire growing buffer for boundary markers.
This algorithmic inefficiency (CWE-400: Uncontrolled Resource Consumption) means that processing time increases non-linearly with input size, allowing attackers to consume disproportionate CPU resources with relatively modest payloads.
Root Cause
The root cause is an inefficient boundary lookup algorithm in the multipart parser. When data lacks the expected delimiter characters (CR/LF), the parser accumulates data into a growing buffer and performs repeated boundary searches across the entire buffer rather than using a more efficient streaming approach. This creates an algorithmic complexity attack vector where carefully crafted input triggers worst-case performance.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker needs to identify an endpoint that accepts multipart form data (file uploads) and send a malicious request containing:
- A multipart boundary header
- File content starting with CR or LF character
- Megabytes of subsequent data without CR/LF characters
The parser will process this data inefficiently, consuming CPU cycles and potentially blocking worker processes. Multiple concurrent requests can amplify the impact, leading to complete service unavailability.
.. currentmodule:: werkzeug
+Version 3.0.1
+-------------
+
+Released 2023-10-24
+
+- Fix slow multipart parsing for large parts potentially enabling DoS
+ attacks. :cwe:`CWE-407`
+
Version 3.0.0
-------------
Source: GitHub Commit Changes
Detection Methods for CVE-2023-46136
Indicators of Compromise
- Unusual CPU spikes on web server processes during multipart request handling
- Worker process timeouts or unresponsiveness when processing file uploads
- Increased memory usage in WSGI worker processes
- HTTP 503 errors or gateway timeouts affecting file upload endpoints
Detection Strategies
- Monitor web server CPU utilization patterns, specifically correlating spikes with multipart POST requests
- Implement request duration monitoring to detect abnormally long-running upload requests
- Audit application dependencies to identify vulnerable Werkzeug versions (< 3.0.1)
- Deploy web application firewalls (WAF) with rules to detect oversized multipart payloads with suspicious patterns
Monitoring Recommendations
- Configure alerting for worker process CPU utilization exceeding normal thresholds
- Implement request timeout monitoring for file upload endpoints
- Track multipart request sizes and processing durations as security metrics
- Monitor for patterns of repeated large POST requests from single sources
How to Mitigate CVE-2023-46136
Immediate Actions Required
- Upgrade Werkzeug to version 3.0.1 or later immediately
- If immediate upgrade is not possible, implement request size limits and timeouts on file upload endpoints
- Consider temporarily disabling file upload functionality if under active attack
- Review and update all applications using Flask or other Werkzeug-based frameworks
Patch Information
The vulnerability has been patched in Werkzeug version 3.0.1, released on 2023-10-24. The fix addresses the inefficient multipart parsing algorithm to prevent resource exhaustion attacks. Users should upgrade by updating their dependency specifications and redeploying applications.
For detailed patch information, refer to the GitHub Security Advisory and the commit changes.
Workarounds
- Implement strict request body size limits at the reverse proxy or load balancer level
- Configure aggressive request timeouts for endpoints accepting file uploads
- Deploy rate limiting on multipart POST endpoints to reduce attack amplification
- Use a WAF to filter requests with abnormally large Content-Length headers
# Configuration example - Upgrade Werkzeug using pip
pip install --upgrade werkzeug>=3.0.1
# Verify installed version
pip show werkzeug | grep Version
# For requirements.txt, update to:
# werkzeug>=3.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
