CVE-2024-24762
📋 TL;DR
CVE-2024-24762 is a regular expression denial of service (ReDoS) vulnerability in python-multipart, a streaming multipart parser for Python. Attackers can send specially crafted Content-Type headers that cause excessive CPU consumption, stalling the main event loop and preventing the server from handling requests. This affects any Python application using vulnerable versions of python-multipart or frameworks like Starlette that depend on it.
💻 Affected Systems
- python-multipart
- Starlette
- FastAPI (if using vulnerable python-multipart)
- Any Python application using python-multipart
📦 What is this software?
Python Multipart by Fastapiexpert
Python Multipart by Fastapiexpert
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for minutes or longer due to CPU exhaustion, potentially affecting all users of the vulnerable application.
Likely Case
Temporary service degradation or denial of service for affected endpoints, requiring process restart to recover.
If Mitigated
Minimal impact with proper rate limiting, request validation, and updated dependencies.
🎯 Exploit Status
Exploitation requires sending HTTP requests with malicious Content-Type headers, which is straightforward. No authentication is needed if the endpoint is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: python-multipart 0.0.7
Vendor Advisory: https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
Restart Required: Yes
Instructions:
1. Update python-multipart to version 0.0.7 or later using pip: 'pip install --upgrade python-multipart>=0.0.7'. 2. Update Starlette if using it: 'pip install --upgrade starlette'. 3. Restart the application to apply changes.
🔧 Temporary Workarounds
Rate Limiting
allImplement rate limiting on endpoints that accept multipart/form-data to reduce impact of repeated attacks.
Request Validation
allAdd middleware to validate or sanitize Content-Type headers before they reach python-multipart.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious Content-Type patterns.
- Isolate vulnerable services behind reverse proxies with request filtering capabilities.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of python-multipart: 'pip show python-multipart' and verify if version is < 0.0.7.Check Version:
pip show python-multipart | grep VersionVerify Fix Applied:
After updating, run 'pip show python-multipart' to confirm version is 0.0.7 or higher, and test form data endpoints for functionality.📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage on servers handling HTTP requests
- Increased request timeouts or errors on form submission endpoints
- Log entries showing malformed or unusually long Content-Type headers
Network Indicators:
- HTTP requests with Content-Type headers containing complex or repetitive patterns
- Sudden spikes in traffic to endpoints accepting multipart/form-data
SIEM Query:
source="web_server_logs" AND (content_type="*;*" OR content_type="*\"*" OR content_type="*'*") AND response_time > 5000🔗 References
- https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
- https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
- https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74
- https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5
- https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
- https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
- https://github.com/tiangolo/fastapi/releases/tag/0.109.1
- https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
- https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
- https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
- https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74
- https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5
- https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
- https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
- https://github.com/tiangolo/fastapi/releases/tag/0.109.1
- https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
