CVE-2026-28356 - Vulnerability Details

- ReDoS in multipart 1.3.0 - `parse_options_header()`

Description

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

Published: 2026-03-12

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in defnull's multipart library. Its parse_options_header() function relies on a regular expression that contains an ambiguous alternation, leading to exponential backtracking when parsing maliciously crafted HTTP or multipart segment headers. This results in a ReDoS condition that can be leveraged to exhaust server resources and cause a denial of service. The weakness corresponds to CWE‑1333.

Affected Systems

All users of the defnull:multipart library whose installed version precedes the fixes are affected. Specifically, any release before 1.2.2, before 1.3.1, or before 1.4.0‑dev contains the flaw. Projects that employ versions 1.0.x through 1.3.0 or any 1.4.0‑dev snapshot prior to the release of the patched version must be updated.

Risk and Exploitability

The CVSS base score is 7.5, indicating moderate to high severity for denial of service. The EPSS score is below 1 %, showing a low current probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. Because the flaw is triggered by forged request headers, an attacker can execute the attack remotely via the application’s HTTP interface, provided the application allows multipart form data. The impact is limited to application availability and does not affect confidentiality or integrity directly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

defnull

multipart

affected

Version	Status	Constraints
`>= 1.3.0, < 1.3.1`	affected	—
`< 1.2.2`	affected	—

No data.

Vendor Product Confidence Versions

Defnull

Multipart

100%

Version	Status	Scheme	Platform
`[1.3.0,1.3.1)`	affected	semver	—
`[0,1.2.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade defnull/multipart to version 1.2.2, 1.3.1, or 1.4.0‑dev or later.

Generated by OpenCVE AI on March 18, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6161-1	multipart security update
Github GHSA	GHSA-p2m9-wcp5-6qw3	multipart vulnerable to ReDoS in `parse_options_header()`

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00823.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/defnull/multipart/security/advisories/GHSA-p2m9-wcp5-6qw3
https://nvd.nist.gov/vuln/detail/CVE-2026-28356
https://www.cve.org/CVERecord?id=CVE-2026-28356

History

Sat, 14 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-28356 https://www.cve.org/CVERecord?id=CVE-2026-28356
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 13 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Defnull Defnull multipart
Vendors & Products		Defnull Defnull multipart

Thu, 12 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.
Title		ReDoS in multipart 1.3.0 - `parse_options_header()`
Weaknesses		CWE-1333
References		https://github.com/defnull/multipart/security/advisories/GHSA-p2m9-wcp5-6qw3
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Defnull Multipart

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-12T16:45:01.070Z

Updated: 2026-03-13T16:29:28.768Z

Reserved: 2026-02-26T18:38:13.890Z

Link: CVE-2026-28356

Vulnrichment

Updated: 2026-03-13T16:29:25.306Z

NVD

Status : Deferred

Published: 2026-03-12T17:16:50.080

Modified: 2026-04-16T14:47:16.733

Link: CVE-2026-28356

Redhat

Severity : Important

Publid Date: 2026-03-12T16:45:01Z

Links: CVE-2026-28356 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-20T15:48:57Z

Weaknesses

CWE-1333

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object