7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-53981

CVE-2024-53981: Denial of service (DoS) via deformation `multipart/form-data` boundary

Summary

When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.

An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).

Impact

Applications that use python-multipart to parse form data (or use frameworks that do so) are affected.

Original Report

This security issue was reported by:

GitHub security advisory in Starlette on October 30 by @Startr4ck
Email to python-multipart maintainer on October 3 by @mnqazi

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-53981

CVE-2024-53981:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
python-multipart	pip	< 0.0.18	0.0.18

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how trailing data after boundaries is handled in multipart.py. The commit diff shows the fix specifically modifies the MultipartState.END handling in data_callback to skip CRLF pairs atomically rather than byte-by-byte. The original code's 'i = length' approach combined with per-byte logging in a loop (implied by 'i += 1' patterns) would process large amounts of post-boundary data inefficiently. The added test in test_multipart.py verifies the logging behavior, confirming the vulnerable pattern existed in the pre-patch implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-53981: Denial of service (DoS) via deformation `multipart/form-data` boundary

Summary

Impact

Original Report

CVE-2024-53981:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

CVE-2024-53981: Denial of service (DoS) via deformation `multipart/form-data` boundary

Summary

Impact

Original Report

Basic Information

Basic Information

Technical Details

7.5

7.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-53981: Denial of service (DoS) via deformation `multipart/form-data` boundary

Summary

Impact

Original Report

CVE-2024-53981:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-53981: Denial of service (DoS) via deformation `multipart/form-data` boundary

Summary

Impact

Original Report

Basic Information

Basic Information

Technical Details

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI