Python-multipart Security Vulnerabilities and Issues — Python-multipart CVE List

FastapiexpertPython-multipart

7 matches found

CVE•added 2024/02/05 2:33 p.m.•435 views

CVE-2024-24762

CVE-2024-24762 affects python-multipart and describes a ReDoS in parsing the HTTP Content-Type header (options). An attacker can send a crafted Content-Type to exhaust CPU and stall the event loop. The vulnerability is fixed in version 0.0.7 by upstream patching the regex. Remediation is to upgra...

7.5CVSS7.2AI score0.01523EPSS

CVE•added 2026/04/17 11:56 p.m.•106 views

CVE-2026-40347

The CVE-2026-40347 entry concerns Python-Multipart. Versions prior to 0.0.26 are vulnerable to a denial-of-service when parsing crafted multipart/form-data with large preambles/epilogues. The fix (0.0.26+) skips ahead on leading CR/LF data and discards epilogue data after the closing boundary. Af...

5.3CVSS5.8AI score0.00351EPSS

CVE•added 2026/01/27 12:34 a.m.•84 views

CVE-2026-24486

CVE-2026-24486 affects the Python-Multipart project. Prior to 0.0.22, non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True allow path traversal enabling writing uploaded files to arbitrary filesystem locations. Mitigation is upgrading to 0.0.22 or avoiding UPLOAD_KEEP_FILENA...

8.6CVSS6AI score0.01761EPSS

CVE•added 2026/06/22 4:55 p.m.•75 views

CVE-2026-53539

CVE-2026-53539 (Python-Multipart) affects the Python-Multipart streaming multipart parser. Prior to 0.0.30, parsing application/x-www-form-urlencoded bodies used a two-step field separator lookup, causing an O(B^2) worst-case workload per chunk when semicolon is used as the separator and no amper...

7.5CVSS6.1AI score0.00263EPSS

CVE•added 2026/06/22 4:57 p.m.•26 views

CVE-2026-53537

Python-Multipart: Prior to 0.0.30, parse_options_header could decode RFC 2231/5987 extended parameters (filename*=, name*=, etc.) via email.message, leading to the filename/field name being surfaced in ways that RFC 7578 forbids. This allowed parameter smuggling where an attacker could bypass ups...

5.3CVSS5.9AI score0.00177EPSS

CVE•added 2026/06/22 4:56 p.m.•21 views

CVE-2026-53538

CVE-2026-53538 affects python-multipart, a streaming multipart parser for Python. Prior to 0.0.30, the QuerystringParser treated ";" as a field separator in application/x-www-form-urlencoded bodies in addition to "&", creating a parsing differential against WHATWG/urllib.parse behavior that only ...

3.7CVSS5.8AI score0.00176EPSS

CVE•added 2026/06/22 4:58 p.m.•21 views

CVE-2026-53540

Python-Multipart vulnerability CVE-2026-53540 affects the parse_form function in versions prior to 0.0.31. A negative Content-Length could cause a bounded read to become unbounded, loading the entire request body into memory and potentially exhausting memory. The issue is fixed in 0.0.31; remedia...

3.7CVSS5.8AI score0.00217EPSS