Skip to content

v0.29.1
Compare
Choose a tag to compare
@PawelPeczek-Roboflow PawelPeczek-Roboflow released this 03 Dec 14:25
· 573 commits to main since this release
v0.29.1
53f84a1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

🛠️ Fixed

python-multipart security issue fixed

Caution

We are removing the following vulnerability detected recently in python-multipart library.

Issue summary
When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.

An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).

Impact
Applications that use python-multipart to parse form data (or use frameworks that do so) are affected.

Next steps
We advise all inference clients to migrate to version 0.29.1, especially when inference docker image is in use. Clients using
older versions of Python package may also upgrade the vulnerable dependency in their environment:

pip install  "python-multipart==0.0.19"

Details of the change: #855

Remaining fixes

Full Changelog: v0.29.0...v0.29.1

Contributors

iurisilvio and PawelPeczek-Roboflow
Assets 2
Loading