python-multipart vulnerable to content-type header Regular expression Denial of Service

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

未加控制的资源消耗(资源穷尽)

FastAPI 资源管理错误漏洞

Python是Python基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。express是expressjs开源的一个 Node.js 的快速、无限制、极简的 web 框架。 FastAPI 0.109.0版本及之前版本存在资源管理错误漏洞，该漏洞源于所依赖的软件包 python-multipart 会消耗 CPU 资源并在保持主事件循环的同时无限期地停止。

N/A

N/A