CVE-2024-24762
Denial of Service (DoS) vulnerability in fastapi (PyPI)

Denial of Service (DoS) No known exploit

What is CVE-2024-24762 About?

This vulnerability is a Regular expression Denial of Service (ReDoS) affecting `python-multipart` when parsing HTTP `Content-Type` headers with form data. A specially crafted `Content-Type` header can consume excessive CPU resources, stalling the application and preventing it from handling further requests. Exploitation can occur remotely and is simple to trigger with a malicious header.

Affected Software

  • fastapi
    • <9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
    • <0.109.1
  • python-multipart
    • <0.0.7

Technical Details

The python-multipart library, used by frameworks like Starlette and FastAPI, employs a regular expression to parse the HTTP Content-Type header, including its options. The vulnerability arises when a malicious Content-Type header string, specifically an application/x-www-form-urlencoded header with a complex, crafted option string (e.g., !=\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"), is sent to the application. This specially designed input causes the regular expression parser to exhibit catastrophic backtracking, leading to an exponential increase in processing time. The RegEx engine becomes stuck in an effectively infinite loop, consuming 100% of the CPU core and holding the main event loop, thereby rendering the application unresponsive and unable to process any further requests, resulting in a Denial of Service.

What is the Impact of CVE-2024-24762?

Successful exploitation may allow attackers to cause a denial of service, making the affected application unresponsive and unavailable to legitimate users, severely impacting service availability.

What is the Exploitability of CVE-2024-24762?

Exploitation of this vulnerability is straightforward and requires low complexity. An attacker only needs to send a single, specially crafted HTTP POST request with the malicious Content-Type header to the target application. No authentication is required, as the vulnerability affects the initial parsing of the HTTP header before any authentication mechanisms are typically engaged. No specific privileges are needed beyond being able to send HTTP requests to the target server. This is a remote vulnerability, accessible to any unauthenticated attacker. The primary risk factors increasing exploitation likelihood include public-facing web applications built with frameworks like Starlette or FastAPI that process form data using python-multipart, especially those that don't have robust rate limiting or input sanitization policies for HTTP headers.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-24762?

Available Upgrade Options

  • fastapi
    • <9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc → Upgrade to 9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
  • fastapi
    • <0.109.1 → Upgrade to 0.109.1
  • python-multipart
    • <0.0.7 → Upgrade to 0.0.7

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-24762?

Similar Vulnerabilities: CVE-2023-36053 , CVE-2022-30973 , CVE-2021-27516 , CVE-2020-26233 , CVE-2020-8199

All Rights reserved 2025
Privacy Policy