Description
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Python-Multipart is a streaming multipart parser used in Python web applications. The vulnerability allows an attacker to create a multipart/form‑data request that contains a very large preamble or epilogue section. When parsed, the library consumes excessive resources before reaching the actual file data, potentially exhausting server memory or CPU and causing service interruption. The weakness is characterized by a failure to enforce resource limits (CWE‑1050), a denial‑of‑service via resource consumption (CWE‑400), and improper handling of input data (CWE‑834).

Affected Systems

The issue affects the Kludex Python‑Multipart package, specifically all releases older than 0.0.26. Systems that rely on this package to process file uploads or form submissions are potentially exposed if they accept large multipart boundaries without appropriate size controls.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of < 1% suggests a very low but non‑zero exploitation probability, and the absence from the CISA KEV catalog indicates no public exploits are documented. Likely attack vectors involve a client sending a crafted HTTP request to a vulnerable server; no authentication or additional privileges are required. The weakness involves a failure to enforce resource limits (CWE‑1050) and excessive resource consumption (CWE‑400) due to large preamble or epilogue data, limiting the impact to service availability but potentially affecting broader infrastructure reliability through repeated or high‑volume attacks.

Generated by OpenCVE AI on April 21, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to python‑multipart 0.0.26 or later, which skips unnecessary boundary candidates and discards epilogue data promptly
  • If upgrading immediately is not possible, configure the application or its reverse proxy to reject or throttle requests with excessively large preamble or epilogue sizes
  • Implement additional input validation or size limits on multipart parsing to guard against abusive request constructs

Generated by OpenCVE AI on April 21, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mj87-hwqh-73pj python-multipart affected by Denial of Service via large multipart preamble or epilogue data
History

Fri, 24 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiexpert
Fastapiexpert python-multipart
CPEs cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*
Vendors & Products Fastapiexpert
Fastapiexpert python-multipart

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex python-multipart
Vendors & Products Kludex
Kludex python-multipart

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
Title Python-Multipart affected by Denial of Service via large multipart preamble or epilogue data
Weaknesses CWE-400
CWE-834
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Fastapiexpert Python-multipart
Kludex Python-multipart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T15:46:40.011Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40347

cve-icon Vulnrichment

Updated: 2026-04-20T15:46:27.078Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-18T00:16:38.520

Modified: 2026-04-24T16:51:19.917

Link: CVE-2026-40347

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-17T23:56:50Z

Links: CVE-2026-40347 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:00:13Z

Weaknesses