CVE-2024-47874: 
Python vulnerability analysis and mitigation

Starlette, an Asynchronous Server Gateway Interface (ASGI) framework/toolkit, was found to contain a Denial of Service (DoS) vulnerability (CVE-2024-47874) affecting versions prior to 0.40.0. The vulnerability impacts all applications built with Starlette or FastAPI that accept form requests. The issue was discovered and disclosed on October 15, 2024 (NVD, GitHub Advisory).

The vulnerability stems from Starlette's handling of multipart/form-data parts without a filename, which are treated as text form fields and buffered in byte strings with no size limit. This implementation flaw is tracked as CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability has received a CVSS v4.0 Base Score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD).

When exploited, this vulnerability allows attackers to upload arbitrary large form fields, causing significant server slowdown due to excessive memory allocations and copy operations. The server can consume increasing amounts of memory until it either starts swapping and grinds to a halt or the operating system terminates the server process with an Out of Memory (OOM) error. Multiple parallel requests can render a service practically unusable, even with reasonable request size limits enforced by a reverse proxy (GitHub Advisory).

The vulnerability has been fixed in Starlette version 0.40.0. The fix implements a maximum size limit for form parts to prevent unlimited memory allocation. Users are strongly advised to upgrade to this version or later to mitigate the vulnerability (GitHub Commit).