GHSA-gjcc-jvgw-wvwj

Suggest an improvement
Source
https://github.com/advisories/GHSA-gjcc-jvgw-wvwj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-gjcc-jvgw-wvwj/GHSA-gjcc-jvgw-wvwj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gjcc-jvgw-wvwj
Aliases
Related
Published
2024-11-20T21:38:58Z
Modified
2024-11-25T14:01:20.841792Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS Calculator
Summary
Litestar allows unbounded resource consumption (DoS vulnerability)
Details

Summary

Litestar offers multiple methods to return a parsed representation of the request body, as well as extractors that rely on those parsers to map request content to structured data types. Multiple of those parsers do not have size limits when reading the request body into memory, which allows an attacker to cause excessive memory consumption on the server by sending large requests.

Details

The Request methods to parse json, msgpack or form-data all read the entire request stream into memory via await self.body() without a prior size check or size limit. There may be other places (e.g. extractors) where this can happen.

For most formats, a configurable size limit would be sufficient to mitigate this issue. The total request size can also be limited by a proxy (e.g. nginx) in front of the actual application as a workaround. However, for applications that actually want to accept large file uploads via multipart/form-data, a simple size limit would not be practical. The multipart parser currently used by Litestar expects a single byte string as input and does not support incremental parsing via Request.stream(). Applications could bypass the Litestar parser and use a streaming parser to read from Request.stream() instead, but that would not work with extractors and other features of the framework. Switching the parser for a different implementation is currently not possible via public APIs.

PoC

Start an applications that accesses Request.json(), Request.msgpack() or Request.form() or uses an extractor that relies on those parsers internally, and send a large request with a matching content type. The actual content of the request does not matter. For example: curl -F "foo=</dev/random" http://127.0.0.1:8000/) for multipart/form-data. Server memory consumption will increase very quickly until memory (and swap) are exhausted.

Impact

This is a denial of service (DoS) vulnerability affecting all Litestar applications that process json, msgpack or form-data submission requests.

Database specific
{
    "nvd_published_at": "2024-11-20T21:15:08Z",
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-20T21:38:58Z"
}
References

Affected packages

PyPI / litestar

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.13.0

Affected versions

1.*

1.0.0a0

2.*

2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.0a7
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0b4
2.0.0rc1
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.2
2.8.3
2.9.0
2.9.1
2.10.0
2.11.0
2.12.0
2.12.1

Database specific

{
    "last_known_affected_version_range": "<= 2.12.1"
}

PyPI / starlite

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.51.16

Affected versions

0.*

0.0.1a0
0.1.0b1
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.2.0
0.2.1
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.6.0
0.7.0
0.7.1
0.7.2

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.1.0
1.1.1
1.2.0
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1
1.9.0
1.9.1
1.10.0
1.10.1
1.11.0
1.11.1
1.12.0
1.13.0
1.13.1
1.14.0
1.14.1
1.14.2
1.15.0
1.16.0
1.16.1
1.16.2
1.17.0
1.17.1
1.17.2
1.18.0
1.18.1
1.19.0
1.20.0
1.21.0
1.21.1
1.21.2
1.23.0
1.23.1
1.24.0
1.25.0
1.26.0
1.26.1
1.27.0
1.28.0
1.28.1
1.29.0
1.30.0
1.31.0
1.32.0
1.33.0
1.34.0
1.35.0
1.35.1
1.36.0
1.37.0
1.38.0
1.39.0
1.40.0
1.40.1
1.41.0
1.42.0
1.43.0
1.43.1
1.44.0
1.45.0
1.45.1
1.46.0
1.47.0
1.48.0
1.48.1
1.49.0
1.50.0
1.50.1
1.50.2
1.51.0
1.51.1
1.51.2
1.51.3
1.51.4
1.51.5
1.51.6
1.51.7
1.51.8
1.51.9
1.51.10
1.51.11
1.51.12
1.51.13
1.51.14
1.51.15
1.51.16