Home > Vulnerability Database > CVE-2024-24762

Mend.io Vulnerability Database

CVE-2024-24762

Good to know:

Date: February 5, 2024

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

Language: Python

Severity Score

7.5

Related Resources (14)

Url: https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p

Url: https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4

Url: https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389

Url: https://github.com/Kludex/python-multipart

Url: https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc

Url: https://github.com/tiangolo/fastapi

Url: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238

Url: https://github.com/pypa/advisory-database/tree/main/vulns/fastapi/PYSEC-2024-38.yaml

Url: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74

Url: https://github.com/github/advisory-database/pull/4829

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-24762

Url: https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5

Url: https://github.com/tiangolo/fastapi/releases/tag/0.109.1

Url: https://www.mend.io/vulnerability-database/CVE-2024-24762

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version python-multipart - 0.0.7

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-24762

Good to know:

Date: February 5, 2024

Language: Python

Severity Score

Related Resources (14)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?