CVE-2024-52581
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2024-52581 is a vulnerability affecting the Litestar Asynchronous Server Gateway Interface (ASGI) framework prior to version 2.13.0. The issue lies in the multipart form parser, which expects the entire request body as a single byte string without any default size limit. This creates an opportunity for attackers to upload excessively large files wrapped in `multipart/form-data` requests, resulting in excessive memory consumption on the server. The parser's design is the root cause of the problem, as it expects the entire request body to be available as a single byte string, making it impossible to safely accept large file uploads. This issue might be a regression, as a similar vulnerability was reported in CVE-2023-25578. Limiting the part number does not provide sufficient protection against out-of-memory errors on the server. A patch is available in version 2.13.0.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.