CVE-2024-47874

Advisory

Affected versions of the Starlette framework are vulnerable to Denial of Service (DoS) attacks due to the lack of restrictions on multipart part sizes. The vulnerability resides in the MultiPartParser class, which previously did not enforce size limits on incoming data. This issue is mitigated by introducing a max_part_size constraint and raises exceptions when limits are exceeded.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This release fixes a Denial of service (DoS) via `multipart/form-data` requests.

You can view the full security advisory:
[GHSA-f96h-pmfr-66vw](https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw)

Fixed

- Add `max_part_size` to `MultiPartParser` to limit the size of parts in `multipart/form-data`
requests [fd038f3](https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733).

Resources

• https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733
• https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47874