Search for vulnerabilities
| Vulnerability ID | VCID-gb68-ds24-f7h9 |
| Aliases |
GHSA-93gm-qmq6-w238
GMS-2024-92 |
| Summary | Starlette Content-Type Header ReDoS ### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100% You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server. If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| There are no known severity scores. | ||
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-02T04:46:59.723553+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/starlette/GMS-2024-92.yml | 38.6.0 |