Litestar DoS vulnerability (Critical) – Request body parsing without size limits

2024-11-21

Platform: Litestar

Version: All versions

Vulnerability: Denial of Service (DoS)

Severity: Critical

Date: Not Available

What Undercode Says:

This critical DoS vulnerability in Litestar allows attackers to crash the server by sending large requests. The issue lies in the way Litestar parses request bodies for JSON, MsgPack, and form data. These parsers lack size limits, allowing attackers to send massive requests that consume all available server memory.

Here’s a breakdown:

Impact: Server crashes due to memory exhaustion.

Affected Methods: Request.json(), Request.msgpack(), Request.form() (and potentially related extractors).

Mitigation:

Implement a configurable size limit for parsers (for formats where applicable).
Use a proxy (like Nginx) to limit total request size (not ideal for large file uploads).
For large file uploads, consider alternative streaming parsers but be aware of compatibility limitations with Litestar features.
Upgrade to a future Litestar version that might address this issue (if available).

Remember: This is a critical vulnerability. Update Litestar or implement mitigations as soon as possible.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top