Package: python-multipart
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for python-multipart.
CVE-2024-53981[0]:
| python-multipart is a streaming multipart parser for Python. When
| parsing form data, python-multipart skips line breaks (CR \r or LF
| \n) in front of the first boundary and any tailing bytes after the
| last boundary. This happens one byte at a time and emits a log event
| each time, which may cause excessive logging for certain inputs. An
| attacker could abuse this by sending a malicious request with lots
| of data before the first or after the last boundary, causing high
| CPU load and stalling the processing thread for a significant amount
| of time. In case of ASGI application, this could stall the event
| loop and prevent other requests from being processed, resulting in a
| denial of service (DoS). This vulnerability is fixed in 0.0.18.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-53981
https://www.cve.org/CVERecord?id=CVE-2024-53981
[1]
https://github.com/Kludex/python-multipart/commit/9205a0ec8c646b9f705430a6bfb52bd957b76c19
[2]
https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177
Please adjust the affected versions in the BTS as needed.
