{"schema_version":"1.7.2","id":"OESA-2025-1426","modified":"2025-04-18T13:49:33Z","published":"2025-04-18T13:49:33Z","upstream":["CVE-2024-49767"],"summary":"python-werkzeug security update","details":"*werkzeug* German noun: \u0026amp;quot;tool\u0026amp;quot;. Etymology: *werk* (\u0026amp;quot;work\u0026amp;quot;), *zeug* (\u0026amp;quot;stuff\u0026amp;quot;) Werkzeug is a comprehensive `WSGI`_ web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. It includes: -   An interactive debugger that allows inspecting stack traces and     source code in the browser with an interactive interpreter for any     frame in the stack. -   A full-featured request object with objects to interact with     headers, query args, form data, files, and cookies. -   A response object that can wrap other WSGI applications and handle     streaming data. -   A routing system for matching URLs to endpoints and generating URLs     for endpoints, with an extensible system for capturing variables     from URLs. -   HTTP utilities to handle entity tags, cache control, dates, user     agents, cookies, files, and more. -   A threaded WSGI server for use while developing applications     locally. -   A test client for simulating HTTP requests during testing without     requiring running a server. Werkzeug doesn\u0026amp;apos;t enforce any dependencies. It is up to the developer to choose a template engine, database adapter, and even how to handle requests. It can be used to build all sorts of end user applications such as blogs, wikis, or bulletin boards. `Flask`_ wraps Werkzeug, using it to handle the details of WSGI while providing more structure and patterns for defining powerful applications.\r\n\r\nSecurity Fix(es):\n\nWerkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.(CVE-2024-49767)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"python-werkzeug","purl":"pkg:rpm/openEuler/python-werkzeug\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.3-3.oe2403"}]}],"ecosystem_specific":{"noarch":["python-werkzeug-help-2.2.3-3.oe2403.noarch.rpm","python3-werkzeug-2.2.3-3.oe2403.noarch.rpm"],"src":["python-werkzeug-2.2.3-3.oe2403.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1426"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49767"}],"database_specific":{"severity":"High"}}