CVE-2023-25578

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-25578
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25578.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-25578
Aliases
Published
2023-02-15T14:58:31Z
Modified
2025-11-04T19:32:00Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Starlite DoS vulnerability when parsing multipart request body
Details

Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a Body(media_type=RequestEncodingType.MULTI_PART). The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/starlite-api/starlite

Affected ranges

Type
GIT
Repo
https://github.com/starlite-api/starlite
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
95c84e96227222f6324a911c389f38a65b2642e3
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.51.2"
        }
    ]
}