AIKIDO-2024-10053
prefect is vulnerable to Regular Expression Denial of Service (ReDoS)
52
Medium Risk
This Affects:
prefectTL;DR
Due to a vulnerability in the starlette package (CVE-2024-24762) and the inability of Prefect to update to a fixed version, parts of the package were rewritten to eliminate the vulnerability. Affected versions of this package are susceptible to regular expression Denial of Service (ReDoS) in python-multipart.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
prefect is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 2.14.0 - 2.14.21.
How to fix this
Upgrade the prefect library to the patch version.
Links
CVE Details
github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3pgithub.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389GitHub Releases
Fix Commits
github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant