<p>Upgrade <code>litestar</code> to version 2.13.0 or higher.</p>

Allocation of Resources Without Limits or Throttling Affecting litestar package, versions [,2.13.0)

Threat Intelligence

Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-LITESTAR-8400286
published 21 Nov 2024
disclosed 20 Nov 2024
credit Marcel Hellkamp

Report a new vulnerability Found a mistake?

Introduced: 20 Nov 2024

New CVE-2024-52581 Open this link in a new tab CWE-770 Open this link in a new tab

How to fix?

Upgrade litestar to version 2.13.0 or higher.

Overview

litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of size limits or size checks when reading the request body into memory via await self.body().

Note: All Litestar applications that process json, msgpack or form-data submission requests are affected

PoC

Start an applications that accesses Request.json(), Request.msgpack() or Request.form() or uses an extractor that relies on those parsers internally
end a large request with a matching content type. The actual content of the request does not matter.
Server memory consumption will increase very quickly until memory (and swap) are exhausted.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Attack Requirements (AT)

Present
Privileges Required (PR)

None
User Interaction (UI)

None

Confidentiality (VC)

None
Integrity (VI)

None
Availability (VA)

High

Confidentiality (SC)

None
Integrity (SI)

None
Availability (SA)

Low