CVE-2023-30798

Name of the Vulnerable Software and Affected Versions Starlette versions prior to 0.25.0

Description The issue arises from the MultipartParser usage in Encode's Starlette python framework, allowing an unauthenticated and remote attacker to specify any number of form fields or files, which can cause excessive memory usage resulting in denial of service of the HTTP service. This can be triggered by sending too many small form fields with no content or too many empty files. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts, leading to high CPU usage and high memory usage, eventually resulting in an out of memory process kill.

Recommendations To resolve the issue, upgrade the Starlette version to 0.25.0 or later, which includes a patch that makes the maximum fields and files customizable with a sensible default of 1000. If application code needs to customize the new max field and file number, use the new request.form() parameters max files and max fields. Alternatively, for applications that cannot upgrade immediately, consider not installing python-multipart or not using form fields, or parse the form data internally by calling request.stream() instead of request.form().