CVE-2024-52581

Name of the Vulnerable Software and Affected Versions Litestar versions prior to 2.13.0

Description The multipart form parser in Litestar expects the entire request body as a single byte string and has no default limit for the total size of the request body, allowing an attacker to upload arbitrary large files wrapped in a multipart/form-data request and cause excessive memory consumption on the server. This is a remote, potentially unauthenticated Denial of Service vulnerability. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop.

Recommendations For versions prior to 2.13.0, update to version 2.13.0 to resolve the issue. As a temporary workaround, consider limiting the total request size using a proxy, such as nginx, in front of the actual application. For applications that need to accept large file uploads via multipart/form-data, consider using a streaming parser to read from Request.stream() instead of the built-in parser. However, this would require bypassing the Litestar parser and may not work with extractors and other features of the framework.