All Werkzeug CVEs — Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

Werkzeug is Flask's WSGI toolkit. CVEs here affect all Flask applications since Werkzeug handles request parsing, routing, and debugging. The debugger CVE (2023) is particularly serious.

PyPI 100M+ weekly downloads 3 CVEs total 1 CRITICAL

Full CVE history

CVE	Year	Severity	Description	Fix
CVE-2023-25577	2023	HIGH	DoS via crafted multipart request with many headers	Fixed 2.2.3
CVE-2023-46136	2023	HIGH	DoS via multipart form parsing with many fields	Fixed 3.0.1
CVE-2024-34069	2024	CRITICAL	RCE via debugger PIN bypass in development mode	Fixed 3.0.3

Current safe version: 3.0.3

# Before

"Werkzeug==2.0.0"

# After

"Werkzeug==3.0.3"

Then run: pip install -r requirements.txt

Werkzeug CVEs — Flask's WSGI toolkit

Werkzeug is the WSGI utility library that Flask is built on. Werkzeug vulnerabilities directly affect all Flask applications. When pip-audit flags Werkzeug, your Flask app is exposed.

Known Werkzeug CVEs

CVE	Severity	Description	Safe Version
CVE-2024-49767	HIGH	DoS via multipart form data parsing	3.0.6+
CVE-2024-34069	HIGH	Debugger PIN bypass — RCE if debug=True	3.0.3+
CVE-2023-46136	HIGH	DoS via crafted multipart boundary	3.0.1+
CVE-2023-25577	HIGH	DoS via large multipart form data	2.2.3+

Fix Werkzeug

# Safe version — 3.0.6 or later
pip install werkzeug --upgrade

# Pin in requirements.txt
werkzeug>=3.0.6

pip install -r requirements.txt

# Verify
pip show werkzeug | grep Version

CVE-2024-34069 — RCE via debugger PIN bypass

This is the highest-risk Werkzeug CVE. The Werkzeug debugger PIN can be bypassed if an attacker knows the machine ID and MAC address — both often obtainable via path traversal. This gives full RCE. Only affects apps running with debug mode enabled. In production, debug mode must always be off.

Paste your manifest — see your exact versions against the full CVE history.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Is CVE-2024-34069 critical for production apps?

It only affects apps running with WERKZEUG_DEBUG_PIN or debug=True — which should never happen in production. The fix is to never run Werkzeug's debug mode in production AND update to 3.0.3.

Does updating Flask update Werkzeug?

Not automatically. Specify Werkzeug explicitly in your requirements.txt. Flask has a loose Werkzeug version constraint.