Litestar
CVE-2024-52581
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 pypi packages depend on litestar (1 direct, 0 indirect)
- 9 pypi packages depend on starlite (9 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.13.0 and other introduced versions.
DescriptionCVE.org
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a multipart/form-data request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.
AnalysisAI
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a multipart/form-data request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0. Affected products include: Litestar. Version information: version 2.13.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Set resource limits, implement rate limiting, validate input sizes.
Litestar ASGI framework versions before 2.20.0 fail to properly escape regex metacharacters in CORS origin validation, a
Cache poisoning in Litestar before 2.20.0 allows unauthenticated remote attackers to exploit improper Unicode normalizat
Litestar versions before 2.20.0 improperly escape regex metacharacters in the allowed_hosts middleware, allowing attacke
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today