CVE-2024-52581
📋 TL;DR
Litestar multipart form parser versions before 2.13.0 have no default limit for request body size, allowing attackers to upload arbitrarily large files in multipart/form-data requests. This causes excessive memory consumption on the server, potentially leading to denial of service. All Litestar applications using the built-in multipart parser are affected.
💻 Affected Systems
- Litestar ASGI framework
📦 What is this software?
Litestar by Litestar
⚠️ Risk & Real-World Impact
Worst Case
Complete server outage due to memory exhaustion, causing denial of service for all users and potentially requiring server restart.
Likely Case
Degraded server performance or temporary unavailability due to memory pressure from large file uploads.
If Mitigated
Minimal impact with proper request size limits and monitoring in place.
🎯 Exploit Status
Exploitation is trivial - simply sending large multipart requests. This is a variation of CVE-2023-25578, suggesting attackers may already be familiar with the attack pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.13.0
Vendor Advisory: https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj
Restart Required: Yes
Instructions:
1. Update Litestar to version 2.13.0 or later using pip: 'pip install --upgrade litestar>=2.13.0' 2. Restart your application server 3. Verify the update was successful
🔧 Temporary Workarounds
Implement request size limits
allConfigure your web server or reverse proxy to limit request body size before requests reach Litestar
nginx: client_max_body_size 10M;
Apache: LimitRequestBody 10485760
Use alternative multipart parser
allReplace Litestar's built-in multipart parser with a streaming parser like python-multipart
pip install python-multipart
Configure Litestar to use external parser
🧯 If You Can't Patch
- Deploy web application firewall (WAF) rules to block or limit large multipart requests
- Implement rate limiting and monitoring for large file uploads to detect and block abuse
🔍 How to Verify
Check if Vulnerable:
Check your Litestar version: 'pip show litestar' or examine requirements.txt/pyproject.toml for version <2.13.0Check Version:
python -c "import litestar; print(litestar.__version__)"Verify Fix Applied:
Confirm version is 2.13.0 or higher: 'pip show litestar | grep Version' should show 2.13.0+📡 Detection & Monitoring
Log Indicators:
- Unusually large request sizes in access logs
- Memory usage spikes coinciding with file upload requests
- HTTP 413 errors from size limits
Network Indicators:
- Large Content-Length headers in POST requests
- Prolonged multipart/form-data uploads
- Multiple large file uploads from single source
SIEM Query:
source=access_logs method=POST content_type="multipart/form-data" content_length>10000000🔗 References
- https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97
- https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138
- https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj
- https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q
