CVE-2023-23934

Wrkzeug's incorrect parsing of nameless cookies leads to __Host- cookies bypass

Description

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Category

2.6
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.23%
Vendor Advisory github.com
Affected: pallets werkzeug
Published at:
Updated at:

References

Link Tags
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q vendor advisory
https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028 patch
https://github.com/pallets/werkzeug/releases/tag/2.2.3 release notes
https://www.debian.org/security/2023/dsa-5470
https://security.netapp.com/advisory/ntap-20230818-0003/

Frequently Asked Questions

What is the severity of CVE-2023-23934?
CVE-2023-23934 has been scored as a low severity vulnerability.
How to fix CVE-2023-23934?
To fix CVE-2023-23934, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-23934 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-23934 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-23934?
CVE-2023-23934 affects pallets werkzeug.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.