cbcvebase.
CVE-2024-24762
published 2024-02-05

CVE-2024-24762: `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP…

PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.52%
71.5th percentile
`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianpython-multipart< python-multipart 0.0.9-1 (forky)python-multipart 0.0.9-1 (forky)
encodestarlette< 0.36.20.36.2
fastapiexpertpython-multipart< 0.0.70.0.7
kludexpython-multipart< 0.0.70.0.7
kludexpython-multipart>= 0 < 0.0.9-10.0.9-1
kludexpython-multipart>= 0 < 0.0.9-10.0.9-1
kludexpython-multipart>= 0 < 0.0.70.0.7
kludexpython-multipart>= 0 < 0.0.5-2ubuntu0.1~esm10.0.5-2ubuntu0.1~esm1
kludexpython-multipart>= 0 < 0.0.9-1ubuntu0.1~esm10.0.9-1ubuntu0.1~esm1
tiangolofastapi< 0.109.10.109.1
tiangolofastapi>= 0 < 0.109.10.109.1
tiangolofastapi>= 0 < 9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.