Skip to main content

Allocation of Resources Without Limits or Throttling

CVE-2024-53981

Severity High
Score 8.7/10

Summary

The python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR "\r" or LF "\n") in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing a high CPU load and stalling the processing thread for a significant amount of time. In the case of the ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a Denial of Service (DoS). This issue affects python-multipart versions prior to 0.0.18.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-770 - Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Advisory Timeline

  • Published