Bugzilla – Bug 1219610
VUL-0: CVE-2024-24762: python-multipart: ReDoS(Regular expression Denial of Service)
Last modified: 2024-05-16 15:02:30 UTC
FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.0. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24762 https://www.cve.org/CVERecord?id=CVE-2024-24762 https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389 https://github.com/andrew-d/python-multipart/releases/tag/0.0.7 Patch: https://github.com/andrew-d/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
Tracking as affected: - SUSE:ALP:Source:Standard:1.0/python-python-multipart - openSUSE:Factory/python-python-multipart
Submission into devel project: https://build.opensuse.org/request/show/1144548
Submission into Factory: https://build.opensuse.org/request/show/1144633 ALP submission: https://build.suse.de/request/show/320743
Factory accepted, ALP pending. I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1219610) was mentioned in https://build.opensuse.org/request/show/1153848 Factory / python-python-multipart
All done, closing.