CVE-2024-47874

Name of the Vulnerable Software and Affected Versions: Starlette versions prior to 0.40.0

Description: The issue is related to how Starlette handles multipart/form-data parts without a filename, treating them as text form fields and buffering them in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields, causing Starlette to slow down significantly due to excessive memory allocations and copy operations, and consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests.

Recommendations: For versions prior to 0.40.0, update to version 0.40.0 to fix the issue. As a temporary workaround, consider restricting the size of form fields or disabling the handling of multipart/form-data parts without a filename to minimize the risk of exploitation. Avoid using the multipart/form-data endpoint with untrusted input until the issue is resolved.