CVE-2024-24762

python-multipart is a streaming multipart parser for Python. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

References

Affected packages

Git / github.com/Kludex/python-multipart

Affected ranges

Type: GIT
Repo: https://github.com/Kludex/python-multipart
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c83e6da1a3a6ed002ebb22138baa1664134d540c

Affected versions

0.*

0.0.2

0.0.4

0.0.5

0.0.6

Git / github.com/Kludex/python-multipart

Affected ranges

Type: GIT
Repo: https://github.com/tiangolo/fastapi
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7633d1571cc0c2792b766f67172edb9427c66899

Affected versions

0.*

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.17

0.1.19

0.10.0

0.10.1

0.10.2

0.10.3

0.100.0

0.100.1

0.101.0

0.101.1

0.102.0

0.103.0

0.103.1

0.103.2

0.104.0

0.104.1

0.105.0

0.106.0

0.107.0

0.108.0

0.109.0

0.11.0

0.12.0

0.12.1

0.13.0

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

0.19.0

0.2.0

0.2.1

0.20.0

0.20.1

0.21.0

0.22.0

0.23.0

0.24.0

0.25.0

0.26.0

0.27.0

0.27.1

0.27.2

0.28.0

0.29.0

0.29.1

0.3.0

0.30.0

0.30.1

0.31.0

0.32.0

0.33.0

0.34.0

0.35.0

0.36.0

0.37.0

0.38.0

0.38.1

0.39.0

0.4.0

0.40.0

0.41.0

0.42.0

0.43.0

0.44.0

0.44.1

0.45.0

0.46.0

0.47.0

0.47.1

0.48.0

0.49.0

0.49.1

0.49.2

0.5.0

0.5.1

0.50.0

0.51.0

0.52.0

0.53.0

0.53.1

0.53.2

0.54.0

0.54.1

0.54.2

0.55.0

0.55.1

0.56.0

0.56.1

0.57.0

0.58.0

0.58.1

0.59.0

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.60.0

0.60.1

0.60.2

0.61.0

0.61.1

0.61.2

0.62.0

0.63.0

0.64.0

0.65.0

0.65.1

0.65.2

0.65.3

0.66.0

0.66.1

0.67.0

0.68.0

0.68.1

0.68.2

0.69.0

0.7.0

0.7.1

0.70.0

0.70.1

0.71.0

0.72.0

0.73.0

0.74.0

0.74.1

0.75.0

0.75.1

0.75.2

0.76.0

0.77.0

0.77.1

0.78.0

0.79.0

0.79.1

0.8.0

0.80.0

0.81.0

0.82.0

0.83.0

0.84.0

0.85.0

0.85.1

0.85.2

0.86.0

0.87.0

0.88.0

0.89.0

0.89.1

0.9.0

0.9.1

0.90.0

0.90.1

0.91.0

0.92.0

0.93.0

0.94.0

0.94.1

0.95.0

0.95.1

0.95.2

0.96.0

0.96.1

0.97.0

0.98.0

0.99.0

0.99.1

v0.*

v0.1.16

Git / github.com/Kludex/python-multipart

Affected ranges

Type: GIT
Repo: https://github.com/encode/starlette
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

04a7d9d8d1db3734c028d89a6a3fd636ddcafedf

Affected versions

0.*

0.1.0

0.1.1

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.10.0

0.10.1

0.10.4

0.11.1

0.11.2

0.11.3

0.11.4

0.12.0

0.12.0.b1

0.12.0.b2

0.12.0.b3

0.12.11

0.12.12

0.12.13

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.8

0.12.9

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.13.6

0.13.7

0.13.8

0.14.0

0.14.1

0.14.2

0.15.0

0.16.0

0.17.0

0.17.1

0.18.0

0.19.0

0.19.1

0.2.0

0.2.1

0.2.2

0.2.3

0.20.0

0.20.1

0.20.2

0.20.3

0.20.4

0.21.0

0.22.0

0.23.0

0.23.1

0.24.0

0.25.0

0.26.0

0.26.0.post1

0.26.1

0.27.0

0.28.0

0.29.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.30.0

0.31.0

0.31.1

0.32.0

0.32.0.post1

0.33.0

0.34.0

0.35.0

0.35.1

0.36.0

0.36.1

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.6.1

0.6.2

0.6.3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.9.0

0.9.1

0.9.10

0.9.11

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9