Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qn4r-71h3-sbgb
Vulnerability ID VCID-qn4r-71h3-sbgb
Aliases CVE-2023-25577
GHSA-xg9f-g7g7-2323
PYSEC-2023-58
Summary Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25577.json
epss 0.00366 https://api.first.org/data/v1/epss?cve=CVE-2023-25577
epss 0.00366 https://api.first.org/data/v1/epss?cve=CVE-2023-25577
epss 0.00366 https://api.first.org/data/v1/epss?cve=CVE-2023-25577
epss 0.00366 https://api.first.org/data/v1/epss?cve=CVE-2023-25577
epss 0.00366 https://api.first.org/data/v1/epss?cve=CVE-2023-25577
epss 0.00366 https://api.first.org/data/v1/epss?cve=CVE-2023-25577
epss 0.00366 https://api.first.org/data/v1/epss?cve=CVE-2023-25577
epss 0.00366 https://api.first.org/data/v1/epss?cve=CVE-2023-25577
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xg9f-g7g7-2323
cvssv3.1 7.5 https://github.com/pallets/werkzeug
generic_textual HIGH https://github.com/pallets/werkzeug
cvssv3.1 7.5 https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
generic_textual HIGH https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
ssvc Track https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
cvssv3.1 7.5 https://github.com/pallets/werkzeug/releases/tag/2.2.3
generic_textual HIGH https://github.com/pallets/werkzeug/releases/tag/2.2.3
ssvc Track https://github.com/pallets/werkzeug/releases/tag/2.2.3
cvssv3.1 7.5 https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
cvssv3.1_qr HIGH https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
generic_textual HIGH https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
ssvc Track https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-58.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-58.yaml
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-25577
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-25577
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20230818-0003
generic_textual HIGH https://security.netapp.com/advisory/ntap-20230818-0003
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20230818-0003/
ssvc Track https://security.netapp.com/advisory/ntap-20230818-0003/
cvssv3.1 7.5 https://www.debian.org/security/2023/dsa-5470
generic_textual HIGH https://www.debian.org/security/2023/dsa-5470
ssvc Track https://www.debian.org/security/2023/dsa-5470
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25577.json
https://api.first.org/data/v1/epss?cve=CVE-2023-25577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pallets/werkzeug
https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
https://github.com/pallets/werkzeug/releases/tag/2.2.3
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-58.yaml
https://security.netapp.com/advisory/ntap-20230818-0003
https://www.debian.org/security/2023/dsa-5470
1031370 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031370
2170242 https://bugzilla.redhat.com/show_bug.cgi?id=2170242
CVE-2023-25577 https://nvd.nist.gov/vuln/detail/CVE-2023-25577
GHSA-xg9f-g7g7-2323 https://github.com/advisories/GHSA-xg9f-g7g7-2323
ntap-20230818-0003 https://security.netapp.com/advisory/ntap-20230818-0003/
RHSA-2023:1018 https://access.redhat.com/errata/RHSA-2023:1018
RHSA-2023:1281 https://access.redhat.com/errata/RHSA-2023:1281
RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325
RHSA-2023:7341 https://access.redhat.com/errata/RHSA-2023:7341
RHSA-2023:7473 https://access.redhat.com/errata/RHSA-2023:7473
RHSA-2025:4664 https://access.redhat.com/errata/RHSA-2025:4664
RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775
USN-5948-1 https://usn.ubuntu.com/5948-1/
USN-5948-2 https://usn.ubuntu.com/5948-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25577.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/ Found at https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/releases/tag/2.2.3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/ Found at https://github.com/pallets/werkzeug/releases/tag/2.2.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/ Found at https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-58.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-25577
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20230818-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20230818-0003/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/ Found at https://security.netapp.com/advisory/ntap-20230818-0003/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.debian.org/security/2023/dsa-5470
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/ Found at https://www.debian.org/security/2023/dsa-5470
Exploit Prediction Scoring System (EPSS)
Percentile 0.58583
EPSS Score 0.00366
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:48:04.929357+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/werkzeug/PYSEC-2023-58.yaml 38.0.0