New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency python-multipart to v0.0.18 [security] #36

Open

renovate wants to merge 1 commit into dev from renovate/pypi-python-multipart-vulnerability

Contributor

renovate bot commented Dec 2, 2024

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
python-multipart (changelog)	`==0.0.9` -> `==0.0.18`

GitHub Vulnerability Alerts

CVE-2024-53981

Summary

When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.

An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).

Impact

Applications that use python-multipart to parse form data (or use frameworks that do so) are affected.

Original Report

This security issue was reported by:

GitHub security advisory in Starlette on October 30 by @Startr4ck
Email to python-multipart maintainer on October 3 by @mnqazi

Release Notes

Kludex/python-multipart (python-multipart)

`v0.0.18`

Hard break if found data after last boundary on MultipartParser #189.

`v0.0.17`

Handle PermissionError in fallback code for old import name #182.

`v0.0.16`

Add dunder attributes to multipart package #177.

`v0.0.15`

Replace FutureWarning to PendingDeprecationWarning #174.
Add missing files to SDist #171.

`v0.0.14`

Fix import scheme for multipart module (#168).

`v0.0.13`

Rename import to python_multipart #166.

`v0.0.12`

Improve error message when boundary character does not match #124.
Add mypy strict typing #140.
Enforce 100% coverage #159.

`v0.0.11`

Improve performance, especially in data with many CR-LF #137.
Handle invalid CRLF in header name #141.

`v0.0.10`

Support on_header_begin #103.
Improve type hints on FormParser #104.
Fix OnFileCallback type #106.
Improve type hints #110.
Improve type hints on File #111.
Add type hint to helper functions #112.
Minor fix for Field.repr #114.
Fix use of chunk_size parameter #136.
Allow digits and valid token chars in headers #134.
Fix headers being carried between parts #135.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency python-multipart to v0.0.18 [security]

4aa3017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet