CVE-2023-30798
published 2023-04-21CVE-2023-30798: There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.29%
66.6th percentile
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | starlette | < starlette 0.25.0-1 (bookworm) | starlette 0.25.0-1 (bookworm) |
| encode | starlette | < 0.25.0 | 0.25.0 |
| encode | starlette | >= 0 < 0.25.0-1 | 0.25.0-1 |
| encode | starlette | >= 0 < 0.25.0-1 | 0.25.0-1 |
| encode | starlette | >= 0 < 0.25.0-1 | 0.25.0-1 |
| encode | starlette | >= 0 < 0.25.0 | 0.25.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-30798: starlette - There MultipartParser usage in Encode's Starlette python framework before versio...
vendor_debian·2023·CVSS 7.5
CVE-2023-30798 [HIGH] CVE-2023-30798: starlette - There MultipartParser usage in Encode's Starlette python framework before versio...
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Scope: local
bookworm: resolved (fixed in 0.25.0-1)
bullseye: open
forky: resolved (fixed in 0.25.0-1)
sid: resolved (fixed in 0.25.0-1)
trixie: resolved (fixed in 0.25.0-1)
OSV
CVE-2023-30798: There MultipartParser usage in Encode's Starlette python framework before versions 0
osv·2023-04-21·CVSS 7.5
CVE-2023-30798 [HIGH] CVE-2023-30798: There MultipartParser usage in Encode's Starlette python framework before versions 0
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
OSV
MultipartParser denial of service with too many fields or files
osv·2023-02-14
CVE-2023-30798 [HIGH] MultipartParser denial of service with too many fields or files
MultipartParser denial of service with too many fields or files
### Impact
The `MultipartParser` using the package `python-multipart` accepts an unlimited number of multipart parts (form fields or files).
Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill.
This can be triggered by sending too many small form fields with no content, or too many empty files.
For this to take effect application code has to:
* Have `python-multipart` installed and
* call `request.form()`
* or via another framework like FastAPI, using form field parameters or `UploadFile` parameters, which in turn calls `request.form()`.
### Patches
The vulnerability is solved in Starlette 0.25.0 by making the maximum fields and files customizable and wit
GHSA
MultipartParser denial of service with too many fields or files
ghsa·2023-02-14
CVE-2023-30798 [HIGH] CWE-400 MultipartParser denial of service with too many fields or files
MultipartParser denial of service with too many fields or files
### Impact
The `MultipartParser` using the package `python-multipart` accepts an unlimited number of multipart parts (form fields or files).
Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill.
This can be triggered by sending too many small form fields with no content, or too many empty files.
For this to take effect application code has to:
* Have `python-multipart` installed and
* call `request.form()`
* or via another framework like FastAPI, using form field parameters or `UploadFile` parameters, which in turn calls `request.form()`.
### Patches
The vulnerability is solved in Starlette 0.25.0 by making the maximum fields and files customizable and wit
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fahttps://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3xhttps://vulncheck.com/advisories/starlette-multipartparser-doshttps://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fahttps://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3xhttps://vulncheck.com/advisories/starlette-multipartparser-dos
2023-04-21
Published