Vulnerability Description
`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fastapiexpert | Python-Multipart | < 0.0.7 |
| Encode | Starlette | < 0.36.2 |
| Tiangolo | Fastapi | < 0.109.1 |
Related Weaknesses (CWE)
References
- https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57Patch
- https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3wExploitVendor Advisory
- https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d980Product
- https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80Patch
- https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238Broken Link
- https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d85108502Patch
- https://github.com/tiangolo/fastapi/releases/tag/0.109.1Product
- https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389Broken Link
- https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57Patch
- https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3wExploitVendor Advisory
- https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d980Product
- https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80Patch
- https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238Broken Link
- https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d85108502Patch
- https://github.com/tiangolo/fastapi/releases/tag/0.109.1Product
FAQ
What is CVE-2024-24762?
CVE-2024-24762 is a vulnerability with a CVSS score of 7.5 (HIGH). `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacke...
How severe is CVE-2024-24762?
CVE-2024-24762 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-24762?
Check the references section above for vendor advisories and patch information. Affected products include: Fastapiexpert Python-Multipart, Encode Starlette, Tiangolo Fastapi.