CVE-2023-25578: 
Python vulnerability analysis and mitigation

The vulnerability (CVE-2023-25578) affects the Starlite Python package versions <=1.51.1, discovered and disclosed on February 15, 2023. The vulnerability exists in the multipart body parser functionality, which processes an unlimited number of file parts and field parts without proper limitations. This affects applications using request handlers that accept Body(media_type=RequestEncodingType.MULTI_PART) (GitHub Advisory).

The vulnerability is classified as a Denial of Service (DoS) weakness (CWE-770) with a CVSS v3.1 score of 7.5 (High). The attack vector is Network-based with low attack complexity, requiring no privileges or user interaction. The vulnerability has an unchanged scope, with no impact on confidentiality and integrity but high impact on availability. The CVSS string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability allows potentially unauthenticated attackers to consume large amounts of CPU time and RAM. The processing of requests can block all available worker processes and significantly delay or slow down legitimate user requests. Large RAM consumption while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop (GitHub Advisory).

The vulnerability has been patched in version 1.51.2 of the Starlite package. The fix implements a multipart form part limit configuration to protect against DoS attacks (GitHub Release).