CVE-2024-24762 is a high-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Kludex python-multipart library, a streaming multipart parser for Python. The vulnerability arises from the way python-multipart parses the HTTP Content-Type header when handling form data. Specifically, it uses a Regular Expression (RegEx) to parse the Content-Type header and its options. An attacker can craft a malicious Content-Type header with options designed to cause catastrophic backtracking or excessive processing time in the RegEx engine. This results in significant CPU resource consumption and stalls the main event loop of the affected process for minutes or longer. Because the main event loop is blocked, the process cannot handle additional incoming requests, effectively causing a Denial of Service (DoS) condition. The vulnerability affects version 0 of python-multipart and was patched in version 0.0.7. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability. There is no impact on confidentiality or integrity. No known exploits are currently reported in the wild. The vulnerability is particularly relevant for Python applications that rely on python-multipart to parse multipart form data, especially in web servers or APIs that handle file uploads or form submissions. Since the vulnerability blocks the main event loop, it is especially critical for asynchronous Python frameworks (e.g., FastAPI, Starlette) that depend on event loops for concurrency and responsiveness. Without mitigation, attackers can disrupt service availability by sending specially crafted HTTP requests with malicious Content-Type headers, leading to service outages or degraded performance.

For European organizations, the impact of CVE-2024-24762 can be significant, particularly for those running Python-based web services or APIs that utilize the python-multipart library for handling multipart form data. The denial of service caused by this vulnerability can lead to service unavailability, affecting customer-facing applications, internal tools, or critical infrastructure services. This can result in operational disruption, loss of user trust, and potential financial losses due to downtime. Organizations in sectors such as finance, healthcare, government, and e-commerce, which often rely on web applications for critical operations, may face increased risk. Additionally, the asynchronous nature of many modern Python web frameworks used in Europe amplifies the impact since the main event loop blocking can halt all request processing. While there is no direct data breach risk, the availability impact alone can be severe, especially for services with high traffic or real-time processing requirements. The lack of required authentication or user interaction lowers the barrier for exploitation, making it easier for remote attackers to launch denial of service attacks without prior access. Given the widespread use of Python in European software development, the vulnerability could affect a broad range of organizations if they have not updated to the patched version.

1. Immediate upgrade to python-multipart version 0.0.7 or later, where the vulnerability is patched. This is the most effective and straightforward mitigation. 2. Implement input validation and sanitization at the application or web server level to detect and reject suspicious or malformed Content-Type headers before they reach the python-multipart parser. 3. Employ rate limiting and request throttling to reduce the impact of potential denial of service attempts by limiting the number of requests from a single source or IP address. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block requests with abnormal or suspicious Content-Type header patterns. 5. Monitor application logs and performance metrics for signs of high CPU usage or stalled event loops that could indicate exploitation attempts. 6. For asynchronous Python applications, consider isolating the multipart parsing logic in separate worker processes or threads to prevent the entire event loop from being blocked. 7. Educate development and security teams about this vulnerability to ensure timely patching and awareness of potential attack vectors. 8. Conduct regular dependency audits and integrate automated vulnerability scanning in CI/CD pipelines to detect outdated or vulnerable python-multipart versions.