PatchSiren cyber security CVE debrief
CVE-2023-46136 Palletsprojects CVE debrief
CVE-2023-46136 is a denial-of-service issue in Werkzeug’s multipart upload handling. A crafted file upload that begins with CR or LF and is followed by large amounts of data can cause boundary searches to run on a growing buffer, consuming CPU and potentially blocking worker processes that should handle legitimate requests. The issue is fixed in Werkzeug 3.0.1 and 2.3.8.
- Vendor
- Palletsprojects
- Product
- Werkzeug
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-10-25
- Original CVE updated
- 2026-05-20
- Advisory published
- 2023-10-25
- Advisory updated
- 2026-05-20
Who should care
Teams operating Python web applications that use Werkzeug for request parsing, especially internet-facing services that accept multipart file uploads. The highest concern is for deployments on Werkzeug 3.0.0 or any 2.x release before 2.3.8.
Technical summary
According to the CVE description, the multipart parser appends upload bytes chunk by chunk into an internal bytearray and performs boundary lookup on the growing buffer when the file starts with CR or LF and is followed by a large run of bytes without those characters. This creates excessive CPU work and can result in denial of service. NVD lists affected CPE criteria for Werkzeug 3.0.0 and versions prior to 2.3.8, and the vendor advisory/patch links document the fix.
Defensive priority
High priority for any application that accepts multipart form uploads through vulnerable Werkzeug versions. Because the issue can consume worker CPU and reduce request handling capacity, exposed services should be updated promptly.
Recommended defensive actions
- Upgrade Werkzeug to 3.0.1 or later, or to 2.3.8 or later on the 2.x branch.
- Inventory applications and containers that bundle or pin Werkzeug, including transitive dependencies in Flask-based stacks.
- Prioritize remediation for internet-facing endpoints that accept file uploads or other multipart form data.
- Monitor for unusual spikes in worker CPU time, request latency, or upload-related request volume while patching.
- Use the linked vendor advisory and patch commit to verify the fixed release in your deployment pipeline.
Evidence notes
The CVE description states that malformed multipart uploads can trigger chunk-by-chunk buffering and repeated boundary lookup, leading to CPU exhaustion and worker blockage. NVD marks Werkzeug 3.0.0 and versions before 2.3.8 as vulnerable, and the GitHub security advisory plus patch commit provide the vendor fix reference. The published CVE date is 2023-10-25; the later 2026-05-20 modification date is source metadata and not the issue date.
Official resources
-
CVE-2023-46136 CVE record
CVE.org
-
CVE-2023-46136 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Third Party Advisory
Publicly disclosed on 2023-10-25. The record was modified on 2026-05-20 in the source feed; that modification date is not the vulnerability date.