CVE-2024-24762

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions python-multipart versions prior to 0.0.7 FastAPI version 0.109.0

Description The vulnerability is related to a Regular Expression Denial of Service (ReDoS) in the python-multipart library, which is used by FastAPI to parse form data. An attacker can send a custom-made Content-Type option that is difficult for the RegEx to process, consuming CPU resources and stalling indefinitely. This can cause the process to be unable to handle any more requests, leading to a denial of service. The vulnerability only applies when the app uses form data, parsed with python-multipart.

Recommendations For python-multipart versions prior to 0.0.7, update to version 0.0.7 or later. For FastAPI version 0.109.0, update to version 0.109.1 or later.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

ALT-PU-2024-2022

BDU:2025-01435

CVE-2024-24762

GHSA-2JV5-9R88-3W3P

GHSA-93GM-QMQ6-W238

GHSA-QF9M-VFGH-M389

OPENSUSE-SU-2024:13664-1

OPENSUSE-SU-2024:13684-1

PYSEC-2024-38

USN-8027-1

Affected Products

Alt Linux

Debian

Fastapi

Linuxmint

Red Os

Ubuntu

Python-Multipart

CVE-2024-24762

Weakness Enumeration

Related Identifiers

Affected Products

References · 44