CVE-2024-9340: 
Python vulnerability analysis and mitigation

A Denial of Service (DoS) vulnerability has been identified in zenml-io/zenml version 0.66.0 (CVE-2024-9340). The vulnerability allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This affects the /api/v1/login and /api/v1/device_authorization endpoints (NVD).

The vulnerability stems from a flaw in the multipart request boundary processing mechanism that leads to an infinite loop when processing malformed requests. The issue has been assigned a CVSS v3.0 base score of 7.5 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD, GitHub Commit).

When exploited, this vulnerability results in a complete denial of service for all users of the affected system. The attack can be executed remotely by unauthenticated attackers, making it particularly severe as it can disrupt service availability without requiring any special access privileges (NVD).

A fix has been implemented in the zenml-io/zenml repository through a commit that adds request body size limits and file upload restrictions. The patch includes middleware to prevent excessive request sizes and restrict file uploads to specific paths (GitHub Commit).