CVE-2024-47874

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-47874

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47874.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-47874

Aliases

GHSA-f96h-pmfr-66vw

Related

Published

2024-10-15T16:15:05Z

Modified

2024-10-20T04:50:59.724802Z

Summary

[none]

Details

Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.

References

Affected packages

Debian:11 / starlette

Package

Name: starlette
Purl: pkg:deb/debian/starlette?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.1-1

0.16.0-1

0.18.0-1

0.20.4-1

0.23.1-1

0.24.0-1

0.25.0-1

0.25.0-2

0.26.1-1

0.28.0-1

0.30.0-1

0.31.1-1

0.37.2-1

0.38.2-1

0.39.1-1

0.39.2-1

0.41.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / starlette

Package

Name: starlette
Purl: pkg:deb/debian/starlette?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.26.1-1

0.28.0-1

0.30.0-1

0.31.1-1

0.37.2-1

0.38.2-1

0.39.1-1

0.39.2-1

0.41.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / starlette

Package

Name: starlette
Purl: pkg:deb/debian/starlette?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.41.0-1

Affected versions

0.*

0.26.1-1

0.28.0-1

0.30.0-1

0.31.1-1

0.37.2-1

0.38.2-1

0.39.1-1

0.39.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/encode/starlette

Affected ranges

Type: GIT
Repo: https://github.com/encode/starlette
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fd038f3070c302bff17ef7d173dbb0b007617733

Affected versions

0.*

0.1.0

0.1.1

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.10.0

0.10.1

0.10.4

0.11.1

0.11.2

0.11.3

0.11.4

0.12.0

0.12.0.b1

0.12.0.b2

0.12.0.b3

0.12.11

0.12.12

0.12.13

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.8

0.12.9

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.13.6

0.13.7

0.13.8

0.14.0

0.14.1

0.14.2

0.15.0

0.16.0

0.17.0

0.17.1

0.18.0

0.19.0

0.19.1

0.2.0

0.2.1

0.2.2

0.2.3

0.20.0

0.20.1

0.20.2

0.20.3

0.20.4

0.21.0

0.22.0

0.23.0

0.23.1

0.24.0

0.25.0

0.26.0

0.26.0.post1

0.26.1

0.27.0

0.28.0

0.29.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.30.0

0.31.0

0.31.1

0.32.0

0.32.0.post1

0.33.0

0.34.0

0.35.0

0.35.1

0.36.0

0.36.1

0.36.2

0.36.3

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

0.38.2

0.38.3

0.38.4

0.38.5

0.38.6

0.39.0

0.39.1

0.39.2

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.6.1

0.6.2

0.6.3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.9.0

0.9.1

0.9.10

0.9.11

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9