Source: starlette X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for starlette. CVE-2024-47874[0]: | Starlette is an Asynchronous Server Gateway Interface (ASGI) | framework/toolkit. Prior to version 0.40.0, Starlette treats | `multipart/form-data` parts without a `filename` as text form fields | and buffers those in byte strings with no size limit. This allows an | attacker to upload arbitrary large form fields and cause Starlette | to both slow down significantly due to excessive memory allocations | and copy operations, and also consume more and more memory until the | server starts swapping and grinds to a halt, or the OS terminates | the server process with an OOM error. Uploading multiple such | requests in parallel may be enough to render a service practically | unusable, even if reasonable request size limits are enforced by a | reverse proxy in front of Starlette. This Denial of service (DoS) | vulnerability affects all applications built with Starlette (or | FastAPI) accepting form requests. Verison 0.40.0 fixes this issue. https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733 (0.40.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47874 https://www.cve.org/CVERecord?id=CVE-2024-47874 Please adjust the affected versions in the BTS as needed.
