You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using python-multipart. This vulnerability has been patched in version 0.109.0.
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-combot
changed the title
CVE-2024-24762 (High) detected in python_multipart-0.0.6-py3-none-any.whl
CVE-2024-24762 (High) detected in python_multipart-0.0.6-py3-none-any.whl - autoclosed
Feb 9, 2024
CVE-2024-24762 - High Severity Vulnerability
Vulnerable Library - python_multipart-0.0.6-py3-none-any.whl
A streaming multipart parser for Python
Library home page: https://files.pythonhosted.org/packages/b4/ff/b1e11d8bffb5e0e1b6d27f402eeedbeb9be6df2cdbc09356a1ae49806dbf/python_multipart-0.0.6-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: fda2a37b98507f17a864087fe28ef6b2dcf1984c
Found in base branch: 3.0
Vulnerability Details
FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data,
python-multipart
uses a Regular Expression to parse the HTTPContent-Type
header, including options. An attacker could send a custom-madeContent-Type
option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, usingpython-multipart
. This vulnerability has been patched in version 0.109.0.Publish Date: 2024-02-05
URL: CVE-2024-24762
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-24762
Release Date: 2024-02-05
Fix Resolution: python-multipart - 0.0.7
The text was updated successfully, but these errors were encountered: