Werkzeug is an extensive WSGI (Web Server Gateway Interface) web application library for the Python programming language, used by many as a core component for web application development, including popular frameworks such as Flask. A critical denial of service vulnerability through file uploads has been discovered in Werkzeug, designated as CVE-2023-46136.

Description

This vulnerability exists in the way Werkzeug handles file uploads within the multipart parser. If an attacker uploads a maliciously crafted file that starts with a Carriage Return (CR) or Line Feed (LF) character and is then followed by megabytes of data without these characters, all of the bytes are appended chunk by chunk into an internal bytearray. The lookup for the boundary is performed on this growing buffer, consuming large amounts of CPU time and potentially blocking worker processes from handling legitimate requests. As a result, this could lead to a denial of service (DoS) attack, significantly affecting website performance and availability.

Exploiting this vulnerability requires an attacker to know an endpoint that accepts file uploads and parses the data in a Werkzeug-based web application. This can be identified by observing endpoint titles or API documentation that refers to file uploads and multipart data handling (e.g., 'upload_file' or other relevant API routes).

Code Snippet

Here is a simple example of a vulnerable Werkzeug-based application using the affected multipart parser:

from werkzeug.wrappers import Request, Response

@Request.application
def application(request):
    if request.method == 'POST':
        file = request.files['file']
        # Perform file operations here
        return Response("File uploaded successfully")

if __name__ == '__main__':
    from werkzeug.serving import run_simple
    run_simple('localhost', 400, application)

Patch and Mitigation

The vulnerability has been patched in Werkzeug version 3..1. The developers have ensured the lookup for boundary is performed more efficiently, limiting the amount of CPU time consumed in the process. To mitigate this vulnerability, it is highly recommended to update Werkzeug to version 3..1 or newer.

pip install --upgrade werkzeug

The details about the vulnerability and its patch can be found in the following references

- Official Werkzeug Website
- GitHub repository for Werkzeug
- CVE-2023-46136 vulnerability details on NIST NVD

Summary

To summarize, developers using the Werkzeug WSGI web application library in their Python applications should be aware of the denial of service vulnerability (CVE-2023-46136) when handling file uploads. The affected applications might have their performance and stability severely compromised by this vulnerability. Upgrading to Werkzeug 3..1 or newer is the recommended mitigation strategy.

Timeline

Published on: 10/25/2023 18:17:36 UTC
Last modified on: 11/24/2023 09:15:08 UTC