Werkzeug 3.0.6 fixes a security issue with the Request.max_form_memory_size setting not having any effect on large text form fields. While the bug is fixed now, the default value for Request.max_form_memory_size is still None which means: no limit. Applications not setting this value are still vulnerable to CVE-2024-49767 by default.

Flask is known as a beginner friendly framework. The setting is not mentioned in the written documentation, just in the auto-generated API documentation and the text does not imply that this might be an important or security related setting. Most other frameworks have reasonable default limits for text fields: Django 2.5MB, Bottle 100KB, multipart 64KB, Starlette/FastAPI 1MB.

I would like to suggest Flask (and Quart) also adopting reasonable default limits for this setting, and maybe other security related settings as well.

Disclaimer: This was already part of the original report and responsibly disclosed, but not classified as a security issue.