Debian 9807 Published by

A python-werkzeug security update has been released for Debian GNU/Linux 10 LTS to address two vulnerabilities that allowed an attacker to inject cookies in certain situations and cause a denial of service (DoS).

DLA 3346-1: python-werkzeug security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3346-1 Sylvain Beucler
February 27, 2023
- -------------------------------------------------------------------------

Package : python-werkzeug
Version : 0.14.1+dfsg1-4+deb10u2
CVE ID : CVE-2023-23934 CVE-2023-25577
Debian Bug : 1031370

Two vulnerabilities were discovered in Werkzeug, a collection of
utilities for WSGI (web) applications. An attacker may inject cookies
in specific situations, and cause a denial of service (DoS).


Werkzeug will parse the cookie `=__Host-test=bad` as
__Host-test=bad`. If a Werkzeug application is running next to a
vulnerable or malicious subdomain which sets such a cookie using a
vulnerable browser, the Werkzeug application will see the bad
cookie value but the valid cookie key. Browsers may allow
"nameless" cookies that look like `=value` instead of
`key=value`. A vulnerable browser may allow a compromised
application on an adjacent subdomain to exploit this to set a
cookie like `=__Host-test=bad` for another subdomain.


Werkzeug's multipart form data parser will parse an unlimited
number of parts, including file parts. Parts can be a small amount
of bytes, but each requires CPU time to parse and may use more
memory as Python data. If a request can be made to an endpoint
that accesses ``, `request.form`, `request.files`, or
`request.get_data(parse_form_data=False)`, it can cause
unexpectedly high resource usage. This allows an attacker to cause
a denial of service by sending crafted multipart data to an
endpoint that will parse it.

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your python-werkzeug packages.

For the detailed security status of python-werkzeug please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: