CVE-2024-24762 Overview
CVE-2024-24762 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting python-multipart, a streaming multipart parser library widely used in Python web frameworks. When processing form data, the library uses a vulnerable regular expression to parse the HTTP Content-Type header and its options. An attacker can exploit this by sending a specially crafted Content-Type header that causes the regex engine to consume excessive CPU resources, resulting in indefinite stalls lasting minutes or more while blocking the main event loop.
Critical Impact
This vulnerability enables remote attackers to completely stall web applications by sending malicious HTTP requests, rendering the server unable to process any additional requests and effectively causing a denial of service condition.
Affected Products
- fastapiexpert python-multipart (versions prior to 0.0.7)
- encode starlette (versions using vulnerable python-multipart)
- tiangolo fastapi (versions prior to 0.109.1)
Discovery Timeline
- 2024-02-05 - CVE-2024-24762 published to NVD
- 2025-05-05 - Last updated in NVD database
Technical Details for CVE-2024-24762
Vulnerability Analysis
This vulnerability represents a classic Regular Expression Denial of Service (ReDoS) attack surface in web application middleware. The python-multipart library, which serves as a critical dependency for popular Python web frameworks like FastAPI and Starlette, contains a flawed regular expression pattern used to parse Content-Type HTTP headers.
When the regex engine encounters a maliciously crafted input string, it enters a state of catastrophic backtracking. This occurs because the regex pattern contains nested quantifiers or overlapping alternation groups that cause the matching algorithm to explore an exponentially growing number of possible paths. The impact is severe: a single malicious request can monopolize CPU resources and block the application's event loop, preventing it from handling any legitimate traffic.
The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity), both of which highlight the fundamental issue of algorithmic complexity attacks against string parsing routines.
Root Cause
The root cause lies in the regular expression pattern located in the multipart parsing module (specifically at lines 72-74 in multipart.py). The regex designed to extract options from the Content-Type header contains patterns that exhibit polynomial or exponential time complexity when matched against adversarial inputs. This is a common pitfall when regex patterns include:
- Nested quantifiers (e.g., (a+)+)
- Overlapping alternations with variable-length matches
- Unbounded repetitions combined with partial matches
When an attacker provides input specifically designed to maximize backtracking, the regex engine cannot complete matching in reasonable time.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying an endpoint that processes form data (multipart/form-data)
- Crafting a malicious Content-Type header with a specially designed options string
- Sending HTTP requests with the malicious header to the target application
- The regex parser stalls while processing the header, blocking the event loop
- Continued requests amplify the denial of service effect
The malicious Content-Type header exploits the regex's vulnerability by including repeated patterns or characters that force extensive backtracking. Because the parsing occurs synchronously in the main event loop, even a single malicious request can render the entire application unresponsive for minutes.
Detection Methods for CVE-2024-24762
Indicators of Compromise
- Unusual CPU spikes correlated with incoming HTTP requests containing atypical Content-Type headers
- Application logs showing request timeouts or event loop blocking on form data endpoints
- Abnormally long response times for endpoints that accept multipart form data
- Requests with extremely long or malformed Content-Type header option values
Detection Strategies
- Monitor for HTTP requests containing Content-Type headers with unusually long option strings or repetitive character patterns
- Implement request timeout monitoring to detect requests that exceed normal processing thresholds
- Deploy web application firewall (WAF) rules to inspect and limit Content-Type header complexity
- Use application performance monitoring (APM) to identify regex processing hotspots
Monitoring Recommendations
- Enable detailed logging for all multipart form data processing endpoints
- Set up alerting thresholds for CPU utilization anomalies on web server processes
- Monitor request latency percentiles (p95, p99) for sudden degradation patterns
- Track dependency versions in CI/CD pipelines to ensure patched versions are deployed
How to Mitigate CVE-2024-24762
Immediate Actions Required
- Upgrade python-multipart to version 0.0.7 or later immediately
- Update FastAPI to version 0.109.1 or later which includes the patched dependency
- Audit all Python applications using Starlette or FastAPI to verify dependency versions
- Implement request timeouts at the web server or reverse proxy level as a defense-in-depth measure
Patch Information
The vulnerability has been patched in python-multipart version 0.0.7. The fix addresses the regex complexity issue by implementing a more efficient parsing approach that prevents catastrophic backtracking.
Relevant patches and commits:
For complete details, refer to the python-multipart security advisory, Starlette security advisory, and FastAPI security advisory.
Workarounds
- Configure reverse proxy or load balancer request timeouts to limit maximum request processing time
- Implement input validation to reject Content-Type headers exceeding reasonable length thresholds
- Deploy rate limiting on endpoints that accept multipart form data to reduce attack surface
- Consider temporarily disabling form data processing on non-essential endpoints until patching is complete
# Upgrade python-multipart to patched version
pip install --upgrade python-multipart>=0.0.7
# Upgrade FastAPI to patched version
pip install --upgrade fastapi>=0.109.1
# Verify installed versions
pip show python-multipart fastapi | grep -E "^(Name|Version)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
