python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
History

Tue, 03 Dec 2024 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 02 Dec 2024 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex python-multipart
CPEs cpe:2.3:a:kludex:python-multipart:*:*:*:*:*:*:*:*
Vendors & Products Kludex
Kludex python-multipart
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 02 Dec 2024 16:00:00 +0000

Type Values Removed Values Added
Description python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
Title python-multipart has a Denial of service (DoS) via deformation `multipart/form-data` boundary
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-02T15:57:50.232Z

Updated: 2024-12-02T19:59:14.830Z

Reserved: 2024-11-25T23:14:36.379Z

Link: CVE-2024-53981

cve-icon Vulnrichment

Updated: 2024-12-02T19:58:52.326Z

cve-icon NVD

Status : Received

Published: 2024-12-02T16:15:14.457

Modified: 2024-12-02T16:15:14.457

Link: CVE-2024-53981

cve-icon Redhat

Severity : Important

Publid Date: 2024-12-02T15:57:50Z

Links: CVE-2024-53981 - Bugzilla