CVE-2024-24762Uncontrolled Resource Consumption in Python-multipart

CWE-400Uncontrolled Resource ConsumptionCWE-1333Regex Denial of Service9 documents5 sources
Severity
7.5HIGHNVD
EPSS
3.3%
top 12.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Encode StarletteKludex Python-multipartTiangolo Fastapi+2 more
Timeline
PublishedFeb 5
Latest updateFeb 11

Description

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of ser

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

CVEListV5kludex/python-multipart< 0.0.7
debiandebian/python-multipart< python-multipart 0.0.9-1 (forky)
Debiankludex/python-multipart< 0.0.9-1+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

6
OSV
python-multipart vulnerabilities2026-02-11
OSV
python-multipart vulnerable to Content-Type Header ReDoS2024-02-12
GHSA
python-multipart vulnerable to Content-Type Header ReDoS2024-02-12
OSV
Duplicate Advisory: FastAPI Content-Type Header ReDoS2024-02-05
OSV
CVE-2024-24762: FastAPI is a web framework for building APIs with Python 32024-02-05

📋Vendor Advisories

2
Ubuntu
Python-Multipart vulnerabilities2026-02-11
Debian
CVE-2024-24762: python-multipart - `python-multipart` is a streaming multipart parser for Python. When using form d...2024