CVE-2024-24762 HIGH

CVE-2024-24762: python-multipart vulnerable to content-type header Regular expression Denial of Service

Vendor Kludex

Product python-multipart

Weakness CWE-400

Published February 5, 2024

Last update May 9, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

Key dates

Disclosure timeline

February 5, 2024 CVE published

May 9, 2025 Record updated

Identifiers

CVE CVE-2024-24762

CWE CWE-400

CVSS 7.5 / HIGH

Affected versions

Vendor Kludex

Product python-multipart

Affected < 0.0.7

Vendor Tiangolo

Product fastapi

Affected < 0.109.1

Vendor Encode

Product starlette

Affected < 0.36.2