CVE-2024-24762

Description

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

How to fix CVE-2024-24762

To remediate CVE-2024-24762, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 0.109.1 or later
• —upgrade to 9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc or later
• —upgrade to 0.0.7 or later
• —upgrade to 0.36.2 or later

Is CVE-2024-24762 being exploited?

Low — EPSS is 3.3%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0
• from 0, < 0.109.1
• from 0, < 9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc | from 0, < 0.109.1
• from 0, < 0.0.7
• from 0, < 0.36.2

CVSS scores

References (15)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-24762
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-24762
• PATCHgithub.com/encode/starlette
• PATCHgithub.com/Kludex/python-multipart
• PATCHgithub.com/tiangolo/fastapi