CVE-2024-24762

NameCVE-2024-24762
Description`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1063538

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-multipart (PTS)bullseye0.0.5-2vulnerable
bookworm0.0.5-3vulnerable
sid, trixie0.0.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-multipartsource(unstable)0.0.9-11063538

Notes

[bookworm] - python-multipart <no-dsa> (Minor issue)
[bullseye] - python-multipart <no-dsa> (Minor issue)
Original report at fastapi: https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
But the fix is within python-multipart:
https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4 (0.0.7)
https://github.com/Kludex/python-multipart/pull/75
Search for package or bug name: Reporting problems