Skip to content

VULN UPGRADE: Werkzeug (major → 3.1.4) #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
campaigner-prod wants to merge 1 commit into
base: master
Choose a base branch
from
Open

VULN UPGRADE: Werkzeug (major → 3.1.4) #19

campaigner-prod wants to merge 1 commit into from
+13 −15

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Jan 8, 2026

Summary: High-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

  • . (pip)

Updates

Package From To Type Vulnerabilities Fixed
Werkzeug 2.0.3 3.1.4 major 2 HIGH, 4 MODERATE, 1 LOW, 4 UNKNOWN

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
Werkzeug GHSA-xg9f-g7g7-2323 HIGH High resource usage when parsing multipart form data with many fields 2.0.3 2.2.3
Werkzeug GHSA-2g68-c3qc-8985 HIGH Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain 2.0.3 3.0.3
ℹ️ Other Vulnerabilities (9)
Package CVE Severity Summary Unsafe Version Fixed In
Werkzeug GHSA-f9vj-2wh5-fj8j MODERATE Werkzeug safe_join not safe on Windows 2.0.3 3.0.6
Werkzeug GHSA-hgf8-39gv-g3f2 MODERATE Werkzeug safe_join() allows Windows special device names 2.0.3 3.1.4
Werkzeug GHSA-q34m-jh98-gwm2 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 2.0.3 3.0.6
Werkzeug GHSA-hrfv-mqp8-q5rw MODERATE Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning 2.0.3 3.0.1
Werkzeug GHSA-px8h-6qxv-m22q LOW Incorrect parsing of nameless cookies leads to __Host- cookies bypass 2.0.3 2.2.3
Werkzeug PYSEC-2022-203 unknown - 2.0.3 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
Werkzeug PYSEC-2023-58 unknown - 2.0.3 517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
Werkzeug PYSEC-2023-221 unknown - 2.0.3 f3c803b3ade485a45f12b6d6617595350c0f03e2
Werkzeug PYSEC-2023-57 unknown - 2.0.3 cf275f42acad1b5950c50ffe8ef58fe62cdce028

Review Checklist

Enhanced review recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-high-severity adms-low-severity adms-major-update adms-medium-severity adms-mode-critical-high-vulns adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant