Regular Expression Denial of Service (ReDoS) Vulnerability in FastAPI's python-multipart
CVE-2024-24762

7.5HIGH

Key Information:

Vendor

Kludex

Status
Python-multipart
Fastapi
Starlette
Vendor
CVE Published:
5 February 2024

What is CVE-2024-24762?

The python-multipart library, used for handling multipart form data in Python, contains a vulnerability that exposes systems to denial of service attacks. An attacker can leverage this vulnerability by crafting a specially designed HTTP Content-Type header that triggers excessive CPU consumption during parsing. This resource-intensive process can lead to significant stalling of the main event loop, preventing the server from handling additional incoming requests. This behavior stems from the complexity of the Regular Expression utilized for parsing, which fails to efficiently process certain options within the header. The vulnerability has been patched in version 0.0.7, and users are advised to upgrade to this version to mitigate the risks associated with this exploit.

Affected Version(s)

fastapi 0 < 0.109.1

python-multipart 0 < 0.0.7

starlette 0 < 0.36.2

References

https://github.com/Kludex/python-multipart/security/advis...
x_refsource_CONFIRM
https://github.com/Kludex/python-multipart/commit/20f0ef6...
x_refsource_MISC
https://github.com/tiangolo/fastapi/security/advisories/G...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.