Update dependency starlette to v0.47.2 [SECURITY] #22

renovate · 2024-12-20T16:34:26Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
starlette (changelog)	`==0.37.2` -> `==0.47.2`

Starlette Denial of service (DoS) via multipart/form-data

CVE-2024-47874 / GHSA-f96h-pmfr-66vw

More information

Details

Summary

Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.

PoC

from starlette.applications import Starlette
from starlette.routing import Route

async def poc(request):
    async with request.form():
        pass

app = Starlette(routes=[
    Route('/', poc, methods=["POST"]),
])

curl http://localhost:8000 -F 'big=</dev/urandom'

Impact

This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests.

Severity

CVSS Score: 8.7 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Starlette has possible denial-of-service vector when parsing large files in multipart forms

CVE-2025-54121 / GHSA-2c2j-9gv5-cj73

More information

Details

Summary

When parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.

Details

Please see this discussion for details: https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403. In summary the following UploadFile code (copied from here) has a minor bug. Instead of just checking for self._in_memory we should also check if the additional bytes will cause a rollover.

    @&#8203;property
    def _in_memory(self) -> bool:
        # check for SpooledTemporaryFile._rolled
        rolled_to_disk = getattr(self.file, "_rolled", True)
        return not rolled_to_disk

    async def write(self, data: bytes) -> None:
        if self.size is not None:
            self.size += len(data)

        if self._in_memory:
            self.file.write(data)
        else:
            await run_in_threadpool(self.file.write, data)

I have already created a PR which fixes the problem: https://github.com/encode/starlette/pull/2962

PoC

See the discussion here for steps on how to reproduce.

Impact

To be honest, very low and not many users will be impacted. Parsing large forms is already CPU intensive so the additional IO block doesn't slow down starlette that much on systems with modern HDDs/SSDs. If someone is running on tape they might see a greater impact.

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

Kludex/starlette (starlette)

Uh oh!

Update dependency starlette to v0.47.2 [SECURITY] #22

Are you sure you want to change the base?

Update dependency starlette to v0.47.2 [SECURITY] #22

Uh oh!

Conversation

renovate bot commented Dec 20, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Starlette Denial of service (DoS) via multipart/form-data

Details

Summary

PoC

Impact

Severity

References

Starlette has possible denial-of-service vector when parsing large files in multipart forms

Details

Summary

Details

PoC

Impact

Severity

References

Release Notes

v0.47.2

Fixed

New Contributors

v0.47.1: Version 0.47.1

Fixed

v0.47.0: Version 0.47.0

Added

Changed

Fixed

New Contributors

v0.46.2: Version 0.46.2

What's Changed

New Contributors

v0.46.1: Version 0.46.1

Fixed

v0.46.0: Version 0.46.0

Added

Fixed

Changed

Deprecated

New Contributors

v0.45.3: Version 0.45.3

Fixed

v0.45.2: Version 0.45.2

Fixed

v0.45.1: Version 0.45.1

Fixed

Refactor

v0.45.0: Version 0.45.0

Removed

v0.44.0: Version 0.44.0

Added

New Contributors

v0.43.0: Version 0.43.0

Removed

Added

New Contributors

v0.42.0: Version 0.42.0

Added

Fixed

New Contributors

v0.41.3: Version 0.41.3

Fixed

v0.41.2: Version 0.41.2

What's Changed

v0.41.1: Version 0.41.1

What's Changed

v0.41.0: Version 0.41.0

Added

v0.40.0: Version 0.40.0

Fixed

v0.39.2: Version 0.39.2

Fixed

v0.39.1: Version 0.39.1

Fixed

v0.39.0: Version 0.39.0

renovate bot commented Dec 20, 2024 •

edited

Loading

`v0.47.2`

`v0.47.1`: Version 0.47.1

`v0.47.0`: Version 0.47.0

`v0.46.2`: Version 0.46.2

`v0.46.1`: Version 0.46.1

`v0.46.0`: Version 0.46.0

`v0.45.3`: Version 0.45.3

`v0.45.2`: Version 0.45.2

`v0.45.1`: Version 0.45.1

`v0.45.0`: Version 0.45.0

`v0.44.0`: Version 0.44.0

`v0.43.0`: Version 0.43.0

`v0.42.0`: Version 0.42.0

`v0.41.3`: Version 0.41.3

`v0.41.2`: Version 0.41.2

`v0.41.1`: Version 0.41.1

`v0.41.0`: Version 0.41.0

`v0.40.0`: Version 0.40.0

`v0.39.2`: Version 0.39.2

`v0.39.1`: Version 0.39.1

`v0.39.0`: Version 0.39.0

`v0.38.6`: Version 0.38.6

`v0.38.5`: Version 0.38.5

`v0.38.4`: Version 0.38.4

`v0.38.3`: Version 0.38.3

`v0.38.2`: Version 0.38.2

`v0.38.1`: Version 0.38.1

`v0.38.0`: Version 0.38.0

thepetk commented Dec 21, 2024 •

edited

Loading

thepetk commented Jan 6, 2025 •

edited

Loading