CVE-2023-30798
Publication date 21 April 2023
Last updated 26 August 2025
Ubuntu priority
Description
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| starlette | 25.10 questing |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Other references
- https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa (0.25.0)
- https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x
- https://vulncheck.com/advisories/starlette-multipartparser-dos
- https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa
- https://www.cve.org/CVERecord?id=CVE-2023-30798