CVE-2024-24762
published 2024-02-05CVE-2024-24762: `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.52%
71.5th percentile
`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-multipart | < python-multipart 0.0.9-1 (forky) | python-multipart 0.0.9-1 (forky) |
| encode | starlette | < 0.36.2 | 0.36.2 |
| fastapiexpert | python-multipart | < 0.0.7 | 0.0.7 |
| kludex | python-multipart | < 0.0.7 | 0.0.7 |
| kludex | python-multipart | >= 0 < 0.0.9-1 | 0.0.9-1 |
| kludex | python-multipart | >= 0 < 0.0.9-1 | 0.0.9-1 |
| kludex | python-multipart | >= 0 < 0.0.7 | 0.0.7 |
| kludex | python-multipart | >= 0 < 0.0.5-2ubuntu0.1~esm1 | 0.0.5-2ubuntu0.1~esm1 |
| kludex | python-multipart | >= 0 < 0.0.9-1ubuntu0.1~esm1 | 0.0.9-1ubuntu0.1~esm1 |
| tiangolo | fastapi | < 0.109.1 | 0.109.1 |
| tiangolo | fastapi | >= 0 < 0.109.1 | 0.109.1 |
| tiangolo | fastapi | >= 0 < 9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc | 9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
python-multipart vulnerabilities
osv·2026-02-11·CVSS 7.5
CVE-2024-24762 [HIGH] python-multipart vulnerabilities
python-multipart vulnerabilities
It was discovered that Python-Multipart incorrectly handled certain
regular expressions. An attacker could possibly use this issue to cause
Python-Multipart to consume excessive resources, leading to a regular
expression denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-24762)
It was discovered that Python-Multipart did not properly sanitize line
breaks during user input. An attacker could use this issue to send
arbitrary input, thus preventing other requests from being processed,
resulting in a denial of service. This issue was only fixed in
Ubuntu 24.04 LTS. (CVE-2024-53981)
It was discovered that Python-Multipart was vulnerable to path traversal
attacks. An attacker could possibly craft and upload files outside the
target directo
OSV
python-multipart vulnerable to Content-Type Header ReDoS
osv·2024-02-12
CVE-2024-24762 [HIGH] python-multipart vulnerable to Content-Type Header ReDoS
python-multipart vulnerable to Content-Type Header ReDoS
### Summary
When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.
An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.
This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
This only applies when the app uses form data, parsed with `python-multipart`.
### Details
A regular HTTP `Content-Type` header could look like:
```
Content-Type: text/html; charse
GHSA
python-multipart vulnerable to Content-Type Header ReDoS
ghsa·2024-02-12
CVE-2024-24762 [HIGH] CWE-400 python-multipart vulnerable to Content-Type Header ReDoS
python-multipart vulnerable to Content-Type Header ReDoS
### Summary
When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.
An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.
This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
This only applies when the app uses form data, parsed with `python-multipart`.
### Details
A regular HTTP `Content-Type` header could look like:
```
Content-Type: text/html; charse
OSV
Duplicate Advisory: FastAPI Content-Type Header ReDoS
osv·2024-02-05
CVE-2024-24762 [HIGH] Duplicate Advisory: FastAPI Content-Type Header ReDoS
Duplicate Advisory: FastAPI Content-Type Header ReDoS
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2jv5-9r88-3w3p. This link is maintained to preserve external references.
## Original Description
### Summary
When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.
An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.
This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
OSV
CVE-2024-24762: FastAPI is a web framework for building APIs with Python 3
osv·2024-02-05
CVE-2024-24762 CVE-2024-24762: FastAPI is a web framework for building APIs with Python 3
FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1.
OSV
CVE-2024-24762: `python-multipart` is a streaming multipart parser for Python
osv·2024-02-05·CVSS 7.5
CVE-2024-24762 [HIGH] CVE-2024-24762: `python-multipart` is a streaming multipart parser for Python
`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
Ubuntu
Python-Multipart vulnerabilities
vendor_ubuntu·2026-02-11·CVSS 7.5
CVE-2024-53981 [HIGH] Python-Multipart vulnerabilities
Title: Python-Multipart vulnerabilities
Summary: Several security issues were fixed in Python-Multipart.
It was discovered that Python-Multipart incorrectly handled certain
regular expressions. An attacker could possibly use this issue to cause
Python-Multipart to consume excessive resources, leading to a regular
expression denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-24762)
It was discovered that Python-Multipart did not properly sanitize line
breaks during user input. An attacker could use this issue to send
arbitrary input, thus preventing other requests from being processed,
resulting in a denial of service. This issue was only fixed in
Ubuntu 24.04 LTS. (CVE-2024-53981)
It was discovered that Python-Multipart was vulnerable to path traversal
attacks. An
Debian
CVE-2024-24762: python-multipart - `python-multipart` is a streaming multipart parser for Python. When using form d...
vendor_debian·2024·CVSS 7.5
CVE-2024-24762 [HIGH] CVE-2024-24762: python-multipart - `python-multipart` is a streaming multipart parser for Python. When using form d...
`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 0.0.9-1)
sid: resolved (fixed in 0.0.9-1)
trixie: resolved (fixed in 0.0.9-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3phttps://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fchttps://github.com/tiangolo/fastapi/releases/tag/0.109.1https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3phttps://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fchttps://github.com/tiangolo/fastapi/releases/tag/0.109.1https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
2024-02-05
Published