Ubuntu Patches ReDoS Vulnerability in Multipart HTTP Header Parser

The multipart library, commonly used for parsing HTTP multipart form data, contains a regular expression vulnerability that can be exploited to cause denial of service. An attacker can craft specific HTTP header values that trigger catastrophic backtracking in the regex engine, consuming excessive CPU and memory resources.

This type of vulnerability, known as Regular Expression Denial of Service (ReDoS), represents a significant risk for web applications and APIs that process user-supplied multipart requests without proper input validation. Ubuntu has released security notice USN-8343-1 to address this issue across affected distributions.

Technical Details of the Vulnerability

• Ambiguous regex alternation in multipart's HTTP header value parsing creates ReDoS condition
• Malformed or specially crafted header values trigger exponential backtracking in regex engine
• Vulnerability is remotely exploitable without authentication or special privileges
• Affected systems experience CPU spikes and potential service unavailability

Impact and Mitigation

• Applications using multipart library to process untrusted HTTP requests are at risk
• Attackers can launch denial-of-service attacks by sending crafted multipart requests
• Ubuntu USN-8343-1 provides patched versions for affected releases
• Organizations should apply updates promptly to maintain service availability
• Input validation and rate limiting can provide defense-in-depth protection

Sources

• USN-8343-1: multipart vulnerability