{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/python-multipart--0.0.27/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["python-multipart (\u003c 0.0.27)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","python-multipart","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003epython-multipart\u003c/code\u003e library is vulnerable to a denial-of-service (DoS) attack due to unbounded header parsing. This vulnerability affects applications parsing \u003ccode\u003emultipart/form-data\u003c/code\u003e using versions of \u003ccode\u003epython-multipart\u003c/code\u003e prior to 0.0.27. An attacker can exploit this by sending a crafted HTTP request containing either numerous repeated headers without terminating the header block or a single, excessively large header value. This leads to excessive CPU consumption as the server attempts to parse the oversized or numerous headers, potentially causing significant delays or service interruption. ASGI applications such as Starlette and FastAPI, which rely on \u003ccode\u003epython-multipart\u003c/code\u003e, are particularly susceptible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP POST request with a \u003ccode\u003emultipart/form-data\u003c/code\u003e content type.\u003c/li\u003e\n\u003cli\u003eThe malicious request contains either a large number of repeated header lines or a single, oversized header value within a multipart part.\u003c/li\u003e\n\u003cli\u003eThe request is sent to a web server running an application that uses \u003ccode\u003epython-multipart\u003c/code\u003e to parse multipart form data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMultipartParser\u003c/code\u003e in \u003ccode\u003epython-multipart\u003c/code\u003e attempts to parse the headers.\u003c/li\u003e\n\u003cli\u003eDue to the lack of limits on header count and size in vulnerable versions, the parsing process consumes excessive CPU resources.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s worker or event loop becomes delayed while processing the malicious request.\u003c/li\u003e\n\u003cli\u003eThis delay can lead to a denial of service, as the server is unable to efficiently handle legitimate requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to CPU exhaustion on the targeted server, causing delays or interruptions in service. ASGI applications utilizing Starlette, FastAPI, or similar frameworks are at risk. The number of victims depends on the popularity and exposure of the affected applications. The impact includes potential downtime, reduced application performance, and a negative user experience.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003epython-multipart\u003c/code\u003e version 0.0.27 or later to apply the fix that enforces limits on header count and size.\u003c/li\u003e\n\u003cli\u003eIf an immediate upgrade is not feasible, implement request body size limits at the server, proxy, or framework level to reduce the potential impact, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests with unusually large header sizes or a high number of headers, using detection rules targeting anomalous header behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-python-multipart-dos/","summary":"A denial-of-service vulnerability exists in python-multipart versions prior to 0.0.27 due to unbounded multipart part header parsing, allowing attackers to exhaust CPU resources by sending requests with many repeated headers or a single oversized header value.","title":"Python-Multipart Denial of Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-python-multipart-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Python-Multipart (\u003c 0.0.27)","version":"https://jsonfeed.org/version/1.1"}