CVE-2024-24762: python-multipart vulnerable to content-type header Regular expression Denial of Service
Description
`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
Classification
CVE ID: CVE-2024-24762
CVSS Base Severity: HIGH
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types
CWE-400 Uncontrolled Resource ConsumptionAffected Products
Vendor: Kludex, tiangolo, encode
Product: python-multipart, fastapi, starlette
Exploit Prediction Scoring System (EPSS)
EPSS Score: 1.8% (probability of being exploited)
EPSS Percentile: 81.91% (scored less or equal to compared to others)
EPSS Date: 2025-06-07 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: poc
SSVC Technical Impact: partial
SSVC Automatable: true
References
https://nvd.nist.gov/vuln/detail/CVE-2024-24762https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74
https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5
https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
https://github.com/tiangolo/fastapi/releases/tag/0.109.1