Description
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Python-Multipart is a streaming multipart parser used in Python web applications. The vulnerability allows an attacker to create a multipart/form‑data request that contains a very large preamble or epilogue section. When parsed, the library consumes excessive resources before reaching the actual file data, potentially exhausting server memory or CPU and causing service interruption. The weakness is a resource limit bypass, matching CWE‑400 and an improper handling of input data, CWE‑834.

Affected Systems

The issue affects the Kludex Python-Multipart package, specifically all releases older than 0.0.26. Systems that rely on this package to process file uploads or form submissions are potentially exposed if they accept large multipart boundaries without appropriate size controls.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available, so the current exploit probability is unknown, but the absence from the CISA KEV catalog suggests no public exploits are documented. Likely attack vectors involve a client sending a crafted HTTP request to a vulnerable server; no authentication or additional privileges are required. The impact is limited to service availability for the affected application, but repeated or high‑volume attacks could affect broader infrastructure reliability.

Generated by OpenCVE AI on April 18, 2026 at 08:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to python‑multipart 0.0.26 or later, which skips unnecessary boundary candidates and discards epilogue data promptly
  • If upgrading immediately is not possible, configure the application or its reverse proxy to reject or throttle requests with excessively large preamble or epilogue sizes
  • Implement additional input validation or size limits on multipart parsing to guard against abusive request constructs

Generated by OpenCVE AI on April 18, 2026 at 08:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mj87-hwqh-73pj python-multipart affected by Denial of Service via large multipart preamble or epilogue data
History

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex python-multipart
Vendors & Products Kludex
Kludex python-multipart

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
Title Python-Multipart affected by Denial of Service via large multipart preamble or epilogue data
Weaknesses CWE-400
CWE-834
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Kludex Python-multipart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T23:56:50.777Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40347

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:38.520

Modified: 2026-04-18T00:16:38.520

Link: CVE-2026-40347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses