CVE-2023-25578 – CVE-2023-25578 is a denial-of-service vulnerabi... (How to Fix)

📋 TL;DR

CVE-2023-25578 is a denial-of-service vulnerability in Starlite ASGI framework where unauthenticated attackers can send specially crafted multipart requests to consume excessive CPU and memory resources. This affects applications with request handlers that accept multipart body data. Attackers can block worker processes and cause out-of-memory conditions.

💻 Affected Systems

Products:

Starlite ASGI framework

Versions: All versions prior to 1.51.2

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Body(media_type=RequestEncodingType.MULTI_PART) in request handlers.

📦 What is this software?

Starlite by Starliteproject

View all CVEs affecting Starlite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through resource exhaustion, leading to application crashes and extended downtime.

🟠

Likely Case

Significant performance degradation and intermittent service disruptions affecting legitimate users.

🟢

If Mitigated

Minimal impact with proper rate limiting, request size limits, and updated software.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-facing applications particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple to exploit by sending many multipart requests; no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.51.2

Vendor Advisory: https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q

Restart Required: Yes

Instructions:

1. Update Starlite: pip install --upgrade starlite==1.51.2
2. Restart all application instances
3. Verify the update with: pip show starlite

🔧 Temporary Workarounds

Implement request size limits

all

Configure ASGI server or reverse proxy to limit multipart request sizes

# For nginx: client_max_body_size 10m;
# For uvicorn/gunicorn: configure appropriate limits

Rate limit multipart endpoints

all

Apply rate limiting to endpoints accepting multipart data

# Example using middleware or API gateway configuration

🧯 If You Can't Patch

Disable multipart endpoints if not required
Implement WAF rules to block excessive multipart requests

🔍 How to Verify

Check if Vulnerable:

Check if Starlite version <1.51.2 and application uses multipart body handlers

Check Version:

pip show starlite | grep Version

Verify Fix Applied:

Confirm Starlite version is 1.51.2 or later

📡 Detection & Monitoring

Log Indicators:

High CPU/memory usage spikes
Multiple large multipart requests from single IPs
Out-of-memory errors in application logs

Network Indicators:

High volume of POST requests with Content-Type: multipart/form-data
Unusually large request bodies

SIEM Query:

source=app_logs ("multipart" OR "Body") AND ("high memory" OR "CPU spike" OR "OOM")

📊 Metadata

CVE ID: CVE-2023-25578

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 15, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83 Patch
https://github.com/starlite-api/starlite/releases/tag/v1.51.2 Release Notes
https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q Exploit,Vendor Advisory
https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83 Patch
https://github.com/starlite-api/starlite/releases/tag/v1.51.2 Release Notes
https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25578, you might also want to check these: