logo

Database

Asymmetric denial of service - ReDoS In starlette

Description

Duplicate Advisory: Starlette allows an unauthenticated and remote attacker to specify any number of form fields or files

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-74m5-2c7w-9w3x. This link is maintained to preserve external references.

Original Description

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2023-307982. GHSA-74m5-2c7w-9w3x3. GCVE-GHSA-3qj8-93xh-pwh2

References

1. https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x2. https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa3. https://vulncheck.com/advisories/starlette-multipartparser-dos

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.