Description
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
References (3)
Core 3
Core References
Mitigation, Vendor Advisory vendor-advisory
https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x
Patch, Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/starlette-multipartparser-dos
Scores
CVSS v3
7.5
EPSS
0.0088
EPSS Percentile
75.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
encode/starlette
< 0.25.0
pypi/starlette
0 - 0.25.0PyPI
Published
Apr 21, 2023
Tracked Since
Feb 18, 2026