CVE-2024-24762

05.02.2024, 15:15

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 82%

Vendor	Product	Version
fastapiexpert	python-multipart	𝑥 < 0.0.7
fastapiexpert	python-multipart	𝑥 < 0.0.7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-multipart

bullseye	no-dsa
bookworm	no-dsa
sid	0.0.20-1 fixed
trixie	0.0.20-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-multipart

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
mantic	ignored
jammy	needs-triage
focal	dne
bionic	dne
xenial	dne
trusty	dne

Known Exploits!

Common Weakness Enumeration

References

https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4

https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p

https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74

https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5

https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238

https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc

https://github.com/tiangolo/fastapi/releases/tag/0.109.1

https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389

https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4

https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p

https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74

https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5

https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238

https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc

https://github.com/tiangolo/fastapi/releases/tag/0.109.1

https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389