CVE-2023-25578

HIGH

Starlite < 1.51.2 - Unauthenticated Denial of Service via Multipart Body Parsing

Title source: llm

Description

Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q

Patch x_refsource_misc

https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/starlite-api/starlite/releases/tag/v1.51.2

Scores

CVSS v3 7.5

EPSS 0.0100

EPSS Percentile 58.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

pypi/starlite 0 - 1.51.2PyPI

starliteproject/starlite < 1.51.2

Published Feb 15, 2023

Tracked Since Feb 18, 2026