CVE-2024-24762: 
Python vulnerability analysis and mitigation

CVE-2024-24762 affects python-multipart, a streaming multipart parser for Python. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. The vulnerability was discovered in versions <=0.0.6 and has been patched in version 0.0.7 (GitHub Advisory).

The vulnerability is a Regular expression Denial of Service (ReDoS) issue. The parser uses a regular expression to process the Content-Type header options. An attacker can craft a malicious Content-Type header option that causes the RegEx to process inefficiently, consuming excessive CPU resources and stalling indefinitely while holding the main event loop. This prevents the process from handling additional requests (GitHub Advisory).

When exploited, this vulnerability can cause a denial of service condition by making the server unresponsive. The attack can completely block the server from processing new requests as the CPU becomes consumed with processing the malicious regular expression pattern. This affects applications that use form data parsed with python-multipart, including those using frameworks like FastAPI and Starlette (GitHub Advisory).

The recommended mitigation is to upgrade python-multipart to version 0.0.7 or later. Major frameworks that depend on python-multipart, such as FastAPI (in version 0.109.1) and Starlette, have updated their dependencies to require the patched version (FastAPI Release, Starlette Commit).

The vulnerability has led to immediate responses from major frameworks in the Python ecosystem. FastAPI and Starlette quickly released updates to require the patched version of python-multipart, demonstrating the security-conscious nature of the Python web development community (FastAPI Release, Starlette Commit).