PYSEC-2024-178

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2024-178.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2024-178

Aliases

Related

GHSA-p24m-863f-fm6q

Published

2024-11-20T21:15:08Z

Modified

2026-06-10T17:14:15.014576748Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a multipart/form-data request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.

References

Affected packages

PyPI / litestar

Package

Name: litestar; View open source insights on deps.dev
Purl: pkg:pypi/litestar

Affected ranges

Type: GIT
Repo: https://github.com/litestar-org/litestar
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

53c1473b5ff7502816a9a339ffc90731bb0c2138

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.0

Affected versions

v0.*

v0.0.1a

v0.1.0b1

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.6.0

v0.7.0

v0.7.1

0.*

0.7.2

1.*

1.0.0a0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.4.1

v1.4.2

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.7.0

v1.7.1

v1.7.3

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v1.10.0

v1.10.1

v1.11.0

v1.11.1

v1.12.0

v1.13.0

v1.13.1

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.16.0

v1.16.1

v1.16.2

v1.17.0

v1.17.1

v1.17.2

v1.18.0

v1.18.1

v1.19.0

v1.20.0

v1.21.0

v1.21.1

v1.21.2

v1.22.0

v1.23.0

v1.23.1

v1.24.0

v1.25.0

v1.26.0

v1.26.1

v1.27.0

v1.28.0

v1.28.1

v1.29.0

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.34.0

v1.35.0

v1.35.1

v1.36.0

v1.37.0

v1.38.0

v1.39.0

v1.40.0

v1.40.1

v1.41.0

v1.42.0

v1.43.0

v1.43.1

v1.44.0

v1.45.0

v1.45.1

v1.46.0

v1.47.0

v1.48.0

v1.48.1

v1.49.0

v1.50.0

v1.50.1

v1.50.2

v1.51.0

v2.*

v2.0.0alpha1

v2.0.0alpha2

v2.0.0alpha3

v2.0.0alpha4

v2.0.0alpha5

v2.0.0alpha6

v2.0.0alpha7

v2.0.0beta1

v2.0.0beta2

v2.0.0beta3

v2.0.0beta4

v2.0.0rc1

v2.0.0

v2.1.0

v2.1.1

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.7.0

v2.7.1

v2.8.0

v2.9.0

v2.10.0

v2.11.0

v2.12.0

v2.12.1

2.*

2.0.0a3

2.0.0a4

2.0.0a5

2.0.0a6

2.0.0a7

2.0.0b1

2.0.0b2

2.0.0b3

2.0.0b4

2.0.0rc1

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.7.0

2.7.1

2.7.2

2.8.0

2.8.1

2.8.2

2.8.3

2.9.0

2.9.1

2.10.0

2.11.0

2.12.0

2.12.1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2024-178.yaml"