Source: python-multipart X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for python-multipart. CVE-2024-24762[0]: | FastAPI is a web framework for building APIs with Python 3.8+ based | on standard Python type hints. When using form data, `python- | multipart` uses a Regular Expression to parse the HTTP `Content- | Type` header, including options. An attacker could send a custom- | made `Content-Type` option that is very difficult for the RegEx to | process, consuming CPU resources and stalling indefinitely (minutes | or more) while holding the main event loop. This means that process | can't handle any more requests. It's a ReDoS(Regular expression | Denial of Service), it only applies to those reading form data, | using `python-multipart`. This vulnerability has been patched in | version 0.109.0. This was reported by fastapi: https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389 But the actual code fix within Debian is in python-multipart: https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4 https://github.com/Kludex/python-multipart/pull/75 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24762 https://www.cve.org/CVERecord?id=CVE-2024-24762 Please adjust the affected versions in the BTS as needed.
