CVE-2024-53981
Description
python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-multipartPyPI | < 0.0.18 | 0.0.18 |
Affected products
6- Range: 0.0.10, 0.0.11, 0.0.12, …
- osv-coords5 versionspkg:apk/chainguard/reflexpkg:apk/wolfi/reflexpkg:pypi/python-multipartpkg:rpm/opensuse/python-python-multipart&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-python-multipart&distro=openSUSE%20Tumbleweed
< 0.6.7-r0+ 4 more
- (no CPE)range: < 0.6.7-r0
- (no CPE)range: < 0.6.7-r0
- (no CPE)range: < 0.0.18
- (no CPE)range: < 0.0.9-150600.3.3.1
- (no CPE)range: < 0.0.19-1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.