CVE-2024-52581

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-52581
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52581.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-52581
Aliases
Related
Published
2024-11-20T21:15:08Z
Modified
2024-11-21T07:51:17.190268Z
Summary
[none]
Details

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a multipart/form-data request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.

References

Affected packages

Git / github.com/litestar-org/litestar

Affected ranges

Type
GIT
Repo
https://github.com/litestar-org/litestar
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.7.2

v0.*

v0.0.1a
v0.1.0
v0.1.0b1
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.6.0
v0.7.0
v0.7.1

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.12.0
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.18.0
v1.18.1
v1.19.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.20.0
v1.21.0
v1.21.1
v1.21.2
v1.22.0
v1.23.0
v1.23.1
v1.24.0
v1.25.0
v1.26.0
v1.26.1
v1.27.0
v1.28.0
v1.28.1
v1.29.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.35.1
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.4.1
v1.4.2
v1.40.0
v1.40.1
v1.41.0
v1.42.0
v1.43.0
v1.43.1
v1.44.0
v1.45.0
v1.45.1
v1.46.0
v1.47.0
v1.48.0
v1.48.1
v1.49.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.50.0
v1.50.1
v1.50.2
v1.51.0
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.9.0
v1.9.1

v2.*

v2.0.0
v2.0.0alpha1
v2.0.0alpha2
v2.0.0alpha3
v2.0.0alpha4
v2.0.0alpha5
v2.0.0alpha6
v2.0.0alpha7
v2.0.0beta1
v2.0.0beta2
v2.0.0beta3
v2.0.0beta4
v2.0.0rc1
v2.1.0
v2.1.1
v2.10.0
v2.11.0
v2.12.0
v2.12.1
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.1
v2.8.0
v2.9.0