VDB

CVE-2024-53981

CVE-2024-53981 PUBLISHED CVSS 7.5 HIGH

python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.

EPSS 0.12% · 30.8th percentile

Risk Scores

CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.12%
30.8th percentile

Affected Products

VendorProductVersions
Kludexpython-multipart< 0.0.18
kludexpython-multipart0
PyPIpython-multipart0

Timeline

  • Jan 21, 1970 Security Advisory
  • Dec 2, 2024 CVE Published
  • Dec 3, 2024 EPSS Score
  • Dec 4, 2024 Coalition ESS Score
  • Dec 20, 2024 EPSS Score
  • Jan 6, 2025 EPSS Score
  • Jan 23, 2025 EPSS Score
  • Feb 9, 2025 EPSS Score
  • Feb 26, 2025 EPSS Score
  • Mar 15, 2025 EPSS Score
  • Apr 1, 2025 EPSS Score
  • Apr 18, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›