CVE-2024-47874Allocation of Resources Without Limits or Throttling in Starlette

CWE-770Allocation of Resources Without Limits or Throttling6 documents5 sources
Severity
8.7HIGHNVD
EPSS
0.1%
top 68.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Encode StarletteDebian Starlette
Timeline
PublishedOct 15

Description

Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

CVEListV5encode/starlette< 0.40.0
PyPIencode/starlette< 0.40.0
debiandebian/starlette< starlette 0.41.0-1 (forky)
Debianencode/starlette< 0.41.0-1+1

🔴Vulnerability Details

3
OSV
CVE-2024-47874: Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit2024-10-15
GHSA
Starlette Denial of service (DoS) via multipart/form-data2024-10-15
OSV
Starlette Denial of service (DoS) via multipart/form-data2024-10-15

📋Vendor Advisories

2
Red Hat
starlette: Starlette Denial of service (DoS) via multipart/form-data2024-10-15
Debian
CVE-2024-47874: starlette - Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. ...2024