VULN UPGRADE: Werkzeug (major → 3.1.6) [opentelemetry/python-microservice]

[campaigner-prod]

Summary: Critical-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

• opentelemetry/python-microservice (pip)

Updates

Package	From	To	Type	Vulnerabilities Fixed
Werkzeug	1.0.1	3.1.6	major	2 CRITICAL, 5 HIGH, 13 MODERATE, 3 LOW

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (7 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Werkzeug	PYSEC-2022-203	critical	-	1.0.1	9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
Werkzeug	CVE-2022-29361	critical	-	1.0.1	-
Werkzeug	GHSA-2g68-c3qc-8985	HIGH	Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain	1.0.1	3.0.3
Werkzeug	CVE-2023-25577	high	Werkzeug may allow high resource usage when parsing multipart form data with many fields	1.0.1	-
Werkzeug	GHSA-xg9f-g7g7-2323	HIGH	High resource usage when parsing multipart form data with many fields	1.0.1	2.2.3
Werkzeug	PYSEC-2023-58	high	-	1.0.1	517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
Werkzeug	CVE-2024-34069	HIGH	Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution	1.0.1	-

ℹ️ Other Vulnerabilities (16)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Werkzeug	CVE-2024-49766	MODERATE	Werkzeug safe_join not safe on Windows	1.0.1	-
Werkzeug	GHSA-87hc-h4r5-73f7	MODERATE	Werkzeug safe_join() allows Windows special device names with compound extensions	1.0.1	3.1.5
Werkzeug	GHSA-f9vj-2wh5-fj8j	MODERATE	Werkzeug safe_join not safe on Windows	1.0.1	3.0.6
Werkzeug	GHSA-hgf8-39gv-g3f2	MODERATE	Werkzeug safe_join() allows Windows special device names	1.0.1	3.1.4
Werkzeug	GHSA-hrfv-mqp8-q5rw	MODERATE	Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning	1.0.1	3.0.1
Werkzeug	CVE-2023-46136	MODERATE	Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning	1.0.1	-
Werkzeug	PYSEC-2023-221	MODERATE	-	1.0.1	f3c803b3ade485a45f12b6d6617595350c0f03e2
Werkzeug	CVE-2024-49767	MODERATE	Werkzeug possible resource exhaustion when parsing file data in forms	1.0.1	-
Werkzeug	GHSA-q34m-jh98-gwm2	MODERATE	Werkzeug possible resource exhaustion when parsing file data in forms	1.0.1	3.0.6
Werkzeug	CVE-2026-27199	MODERATE	Werkzeug safe_join() allows Windows special device names	1.0.1	-
Werkzeug	CVE-2025-66221	MODERATE	Werkzeug safe_join() allows Windows special device names	1.0.1	-
Werkzeug	CVE-2026-21860	MODERATE	Werkzeug safe_join() allows Windows special device names with compound extensions	1.0.1	-
Werkzeug	GHSA-29vq-49wr-vm6x	MODERATE	Werkzeug safe_join() allows Windows special device names	1.0.1	3.1.6
Werkzeug	PYSEC-2023-57	LOW	-	1.0.1	cf275f42acad1b5950c50ffe8ef58fe62cdce028
Werkzeug	CVE-2023-23934	LOW	Wrkzeug's incorrect parsing of nameless cookies leads to __Host- cookies bypass	1.0.1	-
Werkzeug	GHSA-px8h-6qxv-m22q	LOW	Incorrect parsing of nameless cookies leads to __Host- cookies bypass	1.0.1	2.2.3

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
Werkzeug	1.0.1	-	3.1.6	opentelemetry/python-microservice/requirements.txt

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System