CVE-2026-42561 - Vulnerability Details

- Python-Multipart: Denial of Service via unbounded multipart part headers

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

Published: 2026-05-13

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Python‑Multipart is a streaming multipart parser for Python that, before version 0.0.27, was vulnerable to a denial‑of‑service attack. The parser does not impose limits on the number of part headers or the size of an individual header when parsing multipart/form‑data, allowing an attacker to send a request with either many repeated headers or a single very large header value. This forces the parser to perform excessive CPU work before it can reject or complete the request, potentially exhausting server resources and disrupting availability.

Affected Systems

The vulnerability affects installations of Kludex python‑multipart in any version earlier than 0.0.27. Clients or services that use this library to process multipart/form‑data should review the version they are running.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact with limited exploit requirements. Because the attack vector likely involves HTTP multipart requests, any exposed endpoint that accepts multipart/form‑data is a potential target, though the absence of an EPSS score and lack of listing in the CISA KEV catalog suggest the vulnerability is not yet widely exploited. Nevertheless, an attacker could craft a malicious request to trigger the denial‑of‑service condition if the target has not applied the fix.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Kludex

python-multipart

affected

Version	Status	Constraints
`< 0.0.27`	affected	—

No data.

Vendor Product Confidence Versions

Kludex

Python-multipart

100%

Version	Status	Scheme	Platform
`[0,0.0.27)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to python‑multipart 0.0.27 or later, which implements limits on header count and size.
If an upgrade is not immediately possible, implement a web‑application firewall or reverse‑proxy rule to reject incoming requests with excessively large headers or a suspicious number of headers before they reach the application.
Monitor server performance and log entries for anomalous multipart requests to detect attempts to exploit the vulnerability.

Generated by OpenCVE AI on May 13, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pp6c-gr5w-3c5g	python-multipart has Denial of Service via unbounded multipart part headers

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00067.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g

History

Thu, 14 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kludex Kludex python-multipart
Vendors & Products		Kludex Kludex python-multipart

Wed, 13 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.
Title		Python-Multipart: Denial of Service via unbounded multipart part headers
Weaknesses		CWE-770
References		https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Kludex Python-multipart

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T20:55:11.767Z

Updated: 2026-05-14T19:52:12.815Z

Reserved: 2026-04-28T16:56:50.192Z

Link: CVE-2026-42561

Vulnrichment

Updated: 2026-05-14T16:04:40.895Z

NVD

Status : Deferred

Published: 2026-05-13T21:16:47.070

Modified: 2026-05-14T17:00:31.310

Link: CVE-2026-42561

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T22:30:06Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object