cbcvebase.
CVE-2023-24580
published 2023-02-15

CVE-2023-24580: An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an…

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
62.58%
99.1th percentile
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpython-django< python-django 3:3.2.18-1 (bookworm)python-django 3:3.2.18-1 (bookworm)
djangoprojectdjango>= 3.2 < 3.2.183.2.18
djangoprojectdjango>= 3.2a1 < 3.2.183.2.18
djangoprojectdjango>= 4.0 < 4.0.104.0.10
djangoprojectdjango>= 4.0a1 < 4.0.104.0.10
djangoprojectdjango>= 4.1 < 4.1.74.1.7
djangoprojectdjango>= 4.1a1 < 4.1.74.1.7

Detection & IOCsextracted from sources · hover to see the quote

  • Detect excessive number of multipart form parts in a single HTTP POST request targeting Django endpoints, which may indicate a DoS attempt exploiting the multipart request parser
  • Monitor for memory exhaustion or rapid increase in open file descriptors on Django application processes receiving multipart POST requests, which may indicate active exploitation
  • Alert on OOM kills of Django application processes combined with residual temporary files left on disk, which may indicate post-exploitation disk/inode exhaustion
  • Flag multipart POST requests to any Django endpoint (not just file upload forms) with an abnormally high number of parts, as the parser applies to all POST endpoints
  • ·Django versions 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7 are vulnerable; upgrade to patched versions to remediate
  • ·The fix introduces a new DATA_UPLOAD_MAX_NUMBER_FILES setting to limit the number of file parts parsed; ensure this setting is configured appropriately in Django deployments
  • ·The vulnerability affects all POST endpoints in Django, not only explicit file upload forms, broadening the attack surface beyond what operators may expect

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.