All Werkzeug CVEs — Complete Vulnerability History
Werkzeug is Flask's WSGI toolkit. CVEs here affect all Flask applications since Werkzeug handles request parsing, routing, and debugging. The debugger CVE (2023) is particularly serious.
PyPI
100M+ weekly downloads
3 CVEs total
1 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2023-25577 | 2023 | HIGH | DoS via crafted multipart request with many headers | Fixed 2.2.3 |
| CVE-2023-46136 | 2023 | HIGH | DoS via multipart form parsing with many fields | Fixed 3.0.1 |
| CVE-2024-34069 | 2024 | CRITICAL | RCE via debugger PIN bypass in development mode | Fixed 3.0.3 |
Current safe version: 3.0.3
# Before
"Werkzeug==2.0.0"
# After
"Werkzeug==3.0.3"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is CVE-2024-34069 critical for production apps?
It only affects apps running with WERKZEUG_DEBUG_PIN or debug=True — which should never happen in production. The fix is to never run Werkzeug's debug mode in production AND update to 3.0.3.
Does updating Flask update Werkzeug?
Not automatically. Specify Werkzeug explicitly in your requirements.txt. Flask has a loose Werkzeug version constraint.