Lucene search

K
hackeroneDas7padH1:1904097
HistoryMar 13, 2023 - 10:26 p.m.

Internet Bug Bounty: Potential DoS vulnerability in Django in multipart parser

2023-03-1322:26:29
das7pad
hackerone.com
$2400
256
django
dos vulnerability
multipart parser
coordinated disclosure
open files
memory exhaustion
embargo date

EPSS

0.004

Percentile

72.4%

In Django 3.2.x before 3.2.18, 4.0.x before 4.0.10 and 4.1.x before 4.1.7, the multipart request parser was subject to a Denial of Service attack. The multipart request parser processes the request body on endpoints with a form and any other POST endpoints as well. The parser was processing an unlimited number of empty/file multipart-parts. For each file part a new temporary file was opened and kept open for the entire duration of the request. The parsing and tracking of an unbound number of parts/files can lead to too many files being open and memory exhaustion.

Side note: The DoS vectors are not unique to the multipart request parser in Django. Many other large vendors (other programming languages/frameworks/applications) were notified about the DoS vectors as well and an embargo date was set for the coordinated disclosure.

The Django maintainers took part in a coordinated disclosure of the DoS vulnerability with many other large vendors. This required scheduling a dedicated release for the fixes in Django.
The Django maintainers shared their patch with me well in advance for validation and refined it based on feedback.

Impact

Too many open files can stop other requests from opening files e.g. for rendering templates.
High memory usage can lead to the application getting OOM killed.
When the application gets OOM killed, all the open files are left behind, which in turn can lead to exhaustion of disk space/inodes.