search

Chainlit / chainlit

Build Conversational AI in minutes ⚡️
https://docs.chainlit.io
Apache License 2.0
7k stars 923 forks source link

Update starlette >=0.40.0 due to CVE-2024-47874 #1443

Open GhimBoon opened 2 days ago

GhimBoon commented 2 days ago

Describe the bug starlette < 0.40.0 is vulnerable to CVE-2024-47874

https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw

To Reproduce

from starlette.applications import Starlette
from starlette.routing import Route

async def poc(request):
    async with request.form():
        pass

app = Starlette(routes=[
    Route('/', poc, methods=["POST"]),
])

curl http://localhost:8000 -F 'big=</dev/urandom'

Expected behavior Server should not be vulnerable to easy to reproduce DOS attack.

dosubot[bot] commented 2 days ago

The Chainlit codebase currently specifies a dependency on Starlette with the version constraint ^0.37.2, which means it is compatible with versions >=0.37.2, <0.38.0 [1]. To address the CVE-2024-47874 vulnerability, you will need to update the Starlette version to 0.40.0 or higher. However, this update will conflict with the current version constraint specified in the pyproject.toml file. You will need to modify the version constraint to allow for Starlette 0.40.0 or higher and ensure that there are no other dependencies that might conflict with this update.

To continue talking to Dosu, mention @dosu.