HIGH🇬🇧 English

CVE-2024-24762

CVSS 7.5v3.1pub. 2024-02-05upd. 2025-05-05

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Encode Starlette

    APP
    Encode
    < 0.36.2
  • Fastapiexpert Python Multipart

    APP
    Fastapiexpert
    < 0.0.7
  • Tiangolo Fastapi

    APP
    Tiangolo
    < 0.109.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
DoS
CWE
Referencje

Powiązane podatności

CVE-2026-54283HIGH7.5ten sam produkt

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields a...

CVE-2026-53539HIGH7.5ten sam produkt

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-f...

CVE-2026-48818HIGH7.5ten sam produkt

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vu...

CVE-2026-24486HIGH8.6ten sam produkt

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnera...

CVE-2023-29159HIGH7.5ten sam produkt

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote u...

CVE-2024-24762 — HIGH 7.5 | CVEbaza.pl