CVE-2024-24762
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
python-multipart is a streaming multipart parser for Python. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kludex | python-multipart | 0 < 0.0.7 | affected |
| tiangolo | fastapi | 0 < 0.109.1 | affected |
| encode | starlette | 0 < 0.36.2 | affected |
Weaknesses
- CWE-400: CWE-400 Uncontrolled Resource Consumption
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
- https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
- https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
- https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
- https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74
- https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5
- https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
- https://github.com/tiangolo/fastapi/releases/tag/0.109.1
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
- https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
- https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
- https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
- https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74
- https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5
- https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
- https://github.com/tiangolo/fastapi/releases/tag/0.109.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.