python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
Metrics
Affected Vendors & Products
References
History
Tue, 03 Dec 2024 01:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 02 Dec 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Kludex
Kludex python-multipart |
|
CPEs | cpe:2.3:a:kludex:python-multipart:*:*:*:*:*:*:*:* | |
Vendors & Products |
Kludex
Kludex python-multipart |
|
Metrics |
ssvc
|
Mon, 02 Dec 2024 16:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18. | |
Title | python-multipart has a Denial of service (DoS) via deformation `multipart/form-data` boundary | |
Weaknesses | CWE-770 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-12-02T15:57:50.232Z
Updated: 2024-12-02T19:59:14.830Z
Reserved: 2024-11-25T23:14:36.379Z
Link: CVE-2024-53981
Vulnrichment
Updated: 2024-12-02T19:58:52.326Z
NVD
Status : Received
Published: 2024-12-02T16:15:14.457
Modified: 2024-12-02T16:15:14.457
Link: CVE-2024-53981
Redhat