Homepage

Allocation of Resources Without Limits or Throttling Affecting starlette package, versions [,0.40.0)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-STARLETTE-8186175
  • published15 Oct 2024
  • disclosed15 Oct 2024
  • creditMarcel Hellkamp
Report a new vulnerability Found a mistake?

Introduced: 15 Oct 2024

CVE-2024-47874  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade starlette to version 0.40.0 or higher.

Overview

starlette is a The little ASGI library that shines.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via multipart/form-data requests, due to treating parts without a filename as text form fields and buffering those in byte strings with no size limit.

An attacker could cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt by uploading arbitrary large form fields.

Note:

This vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests.

PoC

from starlette.applications import Starlette
from starlette.routing import Route

async def poc(request):
    async with request.form():
        pass

app = Starlette(routes=[
    Route('/', poc, methods=["POST"]),
])

curl http://localhost:8000 -F 'big=</dev/urandom'

CVSS Scores

version 4.0
version 3.1