CVE-2023-30798
Denial of Service (DoS) vulnerability in starlette (PyPI)
What is CVE-2023-30798 About?
This vulnerability in Starlette's `MultipartParser`, which uses `python-multipart`, allows attackers to trigger a Denial of Service (DoS) by sending an unlimited number of multipart parts. Processing an excessive number of parts consumes high CPU and memory, ultimately leading to an Out-of-Memory (OOM) kill. The vulnerability is relatively easy to exploit if the application processes untrusted multipart form data.
Affected Software
- starlette
- <8c74c2c8dba7030154f8af18e016136bea1938fa
- <0.25.0
Technical Details
The MultipartParser in Starlette, if it relies on the python-multipart package, is susceptible to a Denial of Service (DoS) attack. The core issue is that python-multipart accepts an unlimited number of multipart parts (form fields or files) without any upper bounds. An attacker can craft a request containing an extremely large number of small or empty form fields/files. When the application calls request.form() (or equivalent via FastAPI), the MultipartParser attempts to process all these parts. This intensive processing leads to high CPU utilization and significant memory consumption, eventually exhausting available memory and causing an Out-of-Memory (OOM) exception, which can terminate the application process.
What is the Impact of CVE-2023-30798?
Successful exploitation may allow attackers to cause applications to consume excessive resources, leading to high CPU usage, out-of-memory errors, and ultimately a denial of service, rendering the application inoperable.
What is the Exploitability of CVE-2023-30798?
Exploitation of this DoS vulnerability is of low complexity. An attacker only needs the ability to send HTTP requests with a specially crafted multipart/form-data payload to an endpoint that processes request.form(). There are no authentication or privilege requirements for the attack itself, assuming the target endpoint is publicly accessible. This is a remote vulnerability, as the attacker can send the malicious request from afar. The primary prerequisites are the use of python-multipart by the application and the calling of request.form() on incoming requests. Risk factors include any web application that accepts and parses multipart form data from untrusted sources, especially common in file upload or complex form submissions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-30798?
Available Upgrade Options
- starlette
- <8c74c2c8dba7030154f8af18e016136bea1938fa → Upgrade to 8c74c2c8dba7030154f8af18e016136bea1938fa
- starlette
- <0.25.0 → Upgrade to 0.25.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2023-48
- https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa
- https://vulncheck.com/advisories/starlette-multipartparser-dos
- https://vulncheck.com/advisories/starlette-multipartparser-dos
- https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa
- https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa
- https://vulncheck.com/advisories/starlette-multipartparser-dos
- https://github.com/encode/starlette
- https://nvd.nist.gov/vuln/detail/CVE-2023-30798
- https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x
What are Similar Vulnerabilities to CVE-2023-30798?
Similar Vulnerabilities: CVE-2023-43642 , CVE-2023-33202 , CVE-2023-34454 , CVE-2021-35515 , CVE-2015-20107
