—

PYSEC-2023-48

Details

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / starlette

Introduced in: 0 Fixed in: 8c74c2c8dba7030154f8af18e016136bea1938fa

Fix pip install --upgrade 'starlette>=8c74c2c8dba7030154f8af18e016136bea1938fa'

References

https://vulncheck.com/advisories/starlette-multipartparser-dos [ADVISORY]
https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x [ADVISORY]
https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa [FIX]