fix: set python-multipart minimum version to address CVE-2024-24762#6237
Open
maycuatroi1 wants to merge 1 commit intojina-ai:masterfrom
Open
fix: set python-multipart minimum version to address CVE-2024-24762#6237maycuatroi1 wants to merge 1 commit intojina-ai:masterfrom
maycuatroi1 wants to merge 1 commit intojina-ai:masterfrom
Conversation
python-multipart without a lower bound allows installing versions vulnerable to CVE-2024-24762 (CVSS 7.5, ReDoS). The vulnerability is in parse_options_header(). A crafted Content-Type header with an unclosed quoted-string boundary triggers catastrophic backtracking in the internal regex (?:\\.|[^"])*. Response time grows exponentially with payload length, allowing an attacker to hang the server with a single HTTP request containing ~40 backslash characters. Setting >=0.0.7 ensures the patched version is installed. Both extra-requirements.txt and jina/resources/extra-requirements.txt are updated to keep them in sync. Ref: GHSA-2jv5-9r88-3w3p
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a minimum version constraint
>=0.0.7topython-multipartin bothextra-requirements.txtandjina/resources/extra-requirements.txt.Why
python-multipartwithout a lower bound allows installing versions affectedby CVE-2024-24762 (CVSS 7.5, ReDoS).
The vulnerability is in
parse_options_header(). When processing aContent-Typeheader containing a crafted unclosed quoted-string boundary,the internal regex
(?:\\.|[^"])*enters catastrophic backtracking. Responsetime grows exponentially with the number of backslash characters in the payload,
allowing an attacker to hang the server with a single HTTP request.
Measured behavior against python-multipart 0.0.6:
The fix was released in version 0.0.7.
Change
Both
extra-requirements.txtandjina/resources/extra-requirements.txtare updated to keep them in sync.
Ref: GHSA-2jv5-9r88-3w3p