Question regarding CVE-2022-29361

[acipm]

I have a question regarding the HTTP request smuggling vulnerability CVE-2022-29361 in werkzeug.

The resources provided at mitre seem not to be pointing to a fix. I tried to find a fix but was unsuccessful.

Would it be possible for you to link to a fixing commit or provide a security advisory here? Thanks a lot!

[davidism]

This cve is invalid, if you're running the dev server in production you have bigger security issues. The dev server is never intended to be run in production. The cve is also misattributed, it is about Python's http.server.

That said, upgrade Werkzeug

[acipm]

Thank you for your reply. If this is invalid could you please dispute the CVE at mitre?
You can do that here. Just link this issue, it should be sufficient.

[davidism]

From past experience, disputing is not worth my time. I don't put much faith in the CVE system now, as it is too easy for anyone to open issues without being involved or understanding them, and the dispute process went nowhere last time I tried.