GitHub_MCVELIST:CVE-2024-24762CVE-2024-24762 python-multipart vulnerable to content-type header Regular expression Denial of Service
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
47.2%
python-multipart is a streaming multipart parser for Python. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can’t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
CNA Affected
[
{
"collectionURL": "https://github.com/Kludex/python-multipart",
"defaultStatus": "unaffected",
"packageName": "python-multipart",
"product": "python-multipart",
"repo": "https://github.com/Kludex/python-multipart",
"vendor": "Kludex",
"versions": [
{
"lessThan": "0.0.7",
"status": "affected",
"version": "0",
"versionType": "affected"
}
]
},
{
"collectionURL": "https://github.com/tiangolo/fastapi",
"defaultStatus": "unaffected",
"packageName": "fastapi",
"product": "fastapi",
"repo": "https://github.com/tiangolo/fastapi",
"vendor": "tiangolo",
"versions": [
{
"lessThan": "0.109.1",
"status": "affected",
"version": "0",
"versionType": "affected"
}
]
},
{
"collectionURL": "https://github.com/encode/starlette",
"defaultStatus": "unaffected",
"packageName": "startlette",
"product": "starlette",
"repo": "https://github.com/encode/starlette",
"vendor": "encode",
"versions": [
{
"lessThan": "0.36.2",
"status": "affected",
"version": "0",
"versionType": "affected"
}
]
}
]References
github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74
github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5
github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
github.com/tiangolo/fastapi/releases/tag/0.109.1
github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
47.2%