Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.
PoC
from starlette.applications import Starlette
from starlette.routing import Route
async def poc(request):
async with request.form():
pass
app = Starlette(routes=[
Route('/', poc, methods=["POST"]),
])
curl http://localhost:8000 -F 'big=</dev/urandom'
Impact
This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests.
Release Notes
encode/starlette (starlette)
### [`v0.40.0`](https://redirect.github.com/encode/starlette/releases/tag/0.40.0): Version 0.40.0
[Compare Source](https://redirect.github.com/encode/starlette/compare/0.39.2...0.40.0)
This release fixes a Denial of service (DoS) via `multipart/form-data` requests.
You can view the full security advisory:
[GHSA-f96h-pmfr-66vw](https://redirect.github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw)
#### Fixed
- Add `max_part_size` to `MultiPartParser` to limit the size of parts in `multipart/form-data`
requests [fd038f3](https://redirect.github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733).
### [`v0.39.2`](https://redirect.github.com/encode/starlette/releases/tag/0.39.2): Version 0.39.2
[Compare Source](https://redirect.github.com/encode/starlette/compare/0.39.1...0.39.2)
##### Fixed
- Allow use of `request.url_for` when only "app" scope is available [#2672](https://redirect.github.com/encode/starlette/pull/2672).
- Fix internal type hints to support `python-multipart==0.0.12` [#2708](https://redirect.github.com/encode/starlette/pull/2708).
***
**Full Changelog**: https://github.com/encode/starlette/compare/0.39.1...0.39.2
### [`v0.39.1`](https://redirect.github.com/encode/starlette/releases/tag/0.39.1): Version 0.39.1
[Compare Source](https://redirect.github.com/encode/starlette/compare/0.39.0...0.39.1)
#### Fixed
- Avoid regex re-compilation in `responses.py` and `schemas.py` [#2700](https://redirect.github.com/encode/starlette/pull/2700).
- Improve performance of `get_route_path` by removing regular expression usage [#2701](https://redirect.github.com/encode/starlette/pull/2701).
- Consider `FileResponse.chunk_size` when handling multiple ranges [#2703](https://redirect.github.com/encode/starlette/pull/2703).
- Use `token_hex` for generating multipart boundary strings [#2702](https://redirect.github.com/encode/starlette/pull/2702).
***
**Full Changelog**: https://github.com/encode/starlette/compare/0.39.0...0.39.1
### [`v0.39.0`](https://redirect.github.com/encode/starlette/releases/tag/0.39.0): Version 0.39.0
[Compare Source](https://redirect.github.com/encode/starlette/compare/0.38.6...0.39.0)
#### Added
- Add support for HTTP Range to `FileResponse` [#2697](https://redirect.github.com/encode/starlette/pull/2697)
***
**Full Changelog**: https://github.com/encode/starlette/compare/0.38.6...0.39.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
==0.38.6->==0.40.0GitHub Vulnerability Alerts
CVE-2024-47874
Summary
Starlette treats
multipart/form-dataparts without afilenameas text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.PoC
Impact
This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests.
Release Notes
encode/starlette (starlette)
### [`v0.40.0`](https://redirect.github.com/encode/starlette/releases/tag/0.40.0): Version 0.40.0 [Compare Source](https://redirect.github.com/encode/starlette/compare/0.39.2...0.40.0) This release fixes a Denial of service (DoS) via `multipart/form-data` requests. You can view the full security advisory: [GHSA-f96h-pmfr-66vw](https://redirect.github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw) #### Fixed - Add `max_part_size` to `MultiPartParser` to limit the size of parts in `multipart/form-data` requests [fd038f3](https://redirect.github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733). ### [`v0.39.2`](https://redirect.github.com/encode/starlette/releases/tag/0.39.2): Version 0.39.2 [Compare Source](https://redirect.github.com/encode/starlette/compare/0.39.1...0.39.2) ##### Fixed - Allow use of `request.url_for` when only "app" scope is available [#2672](https://redirect.github.com/encode/starlette/pull/2672). - Fix internal type hints to support `python-multipart==0.0.12` [#2708](https://redirect.github.com/encode/starlette/pull/2708). *** **Full Changelog**: https://github.com/encode/starlette/compare/0.39.1...0.39.2 ### [`v0.39.1`](https://redirect.github.com/encode/starlette/releases/tag/0.39.1): Version 0.39.1 [Compare Source](https://redirect.github.com/encode/starlette/compare/0.39.0...0.39.1) #### Fixed - Avoid regex re-compilation in `responses.py` and `schemas.py` [#2700](https://redirect.github.com/encode/starlette/pull/2700). - Improve performance of `get_route_path` by removing regular expression usage [#2701](https://redirect.github.com/encode/starlette/pull/2701). - Consider `FileResponse.chunk_size` when handling multiple ranges [#2703](https://redirect.github.com/encode/starlette/pull/2703). - Use `token_hex` for generating multipart boundary strings [#2702](https://redirect.github.com/encode/starlette/pull/2702). *** **Full Changelog**: https://github.com/encode/starlette/compare/0.39.0...0.39.1 ### [`v0.39.0`](https://redirect.github.com/encode/starlette/releases/tag/0.39.0): Version 0.39.0 [Compare Source](https://redirect.github.com/encode/starlette/compare/0.38.6...0.39.0) #### Added - Add support for HTTP Range to `FileResponse` [#2697](https://redirect.github.com/encode/starlette/pull/2697) *** **Full Changelog**: https://github.com/encode/starlette/compare/0.38.6...0.39.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.