CVE-2024-52581: 
Python vulnerability analysis and mitigation

CVE-2024-52581 affects Litestar, an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with Litestar expects the entire request body as a single byte string and has no default limit for the total size of the request body. The vulnerability was discovered and disclosed in November 2024 (NVD).

The vulnerability stems from the multipart form parser's design, which expects the entire request body to be available as a single byte string. This allows attackers to upload arbitrary large files wrapped in a multipart/form-data request, leading to excessive memory consumption on the server. The issue appears to be a regression of a similar vulnerability (CVE-2023-25578). The vulnerability has received a CVSS v4.0 base score of 8.2 (HIGH) with vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L (NVD).

When exploited, this vulnerability can lead to denial of service (DoS) through excessive memory consumption on the server. The parser's design makes it impossible to accept large file uploads safely, as it requires loading the entire request body into memory (GitHub Advisory).

A patch is available in Litestar version 2.13.0. For users unable to upgrade immediately, it is recommended to implement request size limits at the reverse proxy level (e.g., using NGINX) to prevent large requests from reaching the application (GitHub Advisory).