A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug <= 2.2.2 will parse the cookie =__Host-test=bad as __Host-test=bad.

Red Hat Bugzilla – Bug 2170243 · This site requires JavaScript to be enabled to function correctly, please enable it · Privacy Contact FAQ Legal

3 weeks ago - CVEID: CVE-2023-23934 DESCRIPTION: ... like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain....

This POC demonstrates this by having the curl HTTP command line client have two cookies. One insecure, the other secure. When the server reads the secure cookie it receives the insecure value. I have two versions of the server. One using raw Werkzeug (named w.py), the other using Flask (named f.py).

These cookies are typically represented as =value instead of the usual key=value format. A compromised application on an adjacent subdomain can exploit this behavior in vulnerable browsers to set a cookie like =__Host-test=bad for another subdomain.

This vulnerability occurs due to Werkzeug, a comprehensive WSGI web application library, improperly parsing nameless cookies which can be exploited by compromised applications on adjacent subdomains.

This script produces the PIN by hashing the concatenated bits, adding specific salts (cookiesalt and pinsalt), and formatting the output. It’s important to note that the actual values for probably_public_bits and private_bits need to be accurately obtained from the target system to ensure the generated PIN matches the one expected by the Werkzeug console.

Werkzeug is a comprehensive WSGI ... like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain....

February 27, 2023 - An attacker can bypass restrictions of Werkzeug, via Cookie Key, in order to escalate his privileges, identified by CVE-2023-23934.

CVE-2023-23934: Cookie Parsing Vulnerability in Werkzeug. This vulnerability allows for the exploitation of nameless cookies, potentially leading to session hijacking or unauthorized access to sensitive information.

February 3, 2018 - Werkzeug is a comprehensive WSGI ... like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain....

August 22, 2023 - It is litterally as easy as intercepting some network traffic in the clear, fetching the cookie and inserting it into our HTTP requests. Another way to exploit cookies is for example to retreive an authentication cookie for a user-level login and change its value to make the server think you are logged in as an admin:

They are unlikely to be contained ... '0') for x in range(0, len(num), group_size)) break else: rv = num return rv, cookie_name · From this function, the following variables need to be exploited to get the console PIN:...

Therefore, even if the cookies aren't sent over the first requests, they will be accessible from the JavaScript after the exploitation. In section HTTP request parsing error in Werkzeug, we exposed a request smuggling vulnerability in Werkzeug 2.1.0 to 2.1.1, without exposing any security risk.

February 25, 2018 - Exploit maturity not defined.

OptString.new('MODULENAME', [false, 'Name of the module. Often flask.app or werkzeug.debug', 'flask.app'], conditions: %w[AUTHMODE == generated-cookie]),

April 10, 2023 - GET /download?fn=../../../../app/venv/lib/python3.10/site-packages/werkzeug/debug/__init__.py · To reverse the PIN you’ll want to pull the code out of __init__.py that generates the PIN and cookie. That code is included below. You’ll only need two Python libraries to make that work, which I’ve also included in the modified script below.

date_range date: Sep 07, 2025 · Writeup - ASIS_QUALS_2025 - Web - XSS

Do: set FLASKPATH /usr/local/lib/<python3.version>/site-packages/flask/app.py (where <python3.version> matches the version on the system being exploited) ... You should see a failure due to the check failing. Method of authentication. Valid values are: generated-cookie: Cookie generated from information provided about the application's environment. When this mode is used, the following additional options must be set: APPNAME: The name of the application according to Werkzeug.

January 15, 2019 - First we have to identify which engine the web app is using (Make, Jinja2, Twig, …): since Jinja2 is the most used one we can try to inject {{2+2}},if the application returns 4 it’s possible to exploit the application to run Python code. import requests url = "http://10.10.10.96:8080/" data = {"username": "wizard.oz", "password": "wizardofoz22"} header = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" } sess = requests.Session() sess.headers.update(header) sess.post(url + "login", data=data) print(sess.cookies.get_dict()) exploit = {"name": "{{2+2}}", "desc": "desc"} r = sess.post(url, data=exploit, allow_redirects=False) print(r.text)