Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Published: 2026-06-22
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Python-Multipart is a streaming multipart parser for Python. In versions before 0.0.30, its header parsing logic incorrectly decodes RFC 2231/5987 extended parameters such as filename*=…, name*=…, and the continuation forms filename*0/filename*1, treating them as the plain filename or name fields. RFC 7578 §4.2 explicitly excludes these extended forms from multipart/form‑data, so components that do not reject them may misinterpret the header. This mismatch allows an attacker to smuggle a different field name or file name past upstream inspection, causing the backend to store or process the payload under an unintended key and potentially leaking or corrupting data.

Affected Systems

The flaw exists in Kludex’s python‑multipart package in every release before 0.0.30. Any Python application that relies on this parser to handle multipart/form‑data—such as file upload handlers, API endpoints, or services that delegate parsing to the library—is potentially impacted.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate impact. The EPSS score is below 1%, implying a very low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. The most likely attack vector is an HTTP multipart/form‑data upload where the attacker controls the Content‑Disposition header. Exploitation requires that upstream systems, such as WAFs or proxies, do not forbid extended parameters; if they do, the attacker can still transmit a request that reaches the application with a manipulated field name or file name, which may lead to data leakage or integrity violations. Because the vulnerability is confined to parsing logic, the overall risk remains moderate but should be mitigated by applying the patch.

Generated by OpenCVE AI on June 30, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade python‑multipart to version 0.0.30 or later to apply the official fix.
  • Configure your web server or reverse proxy to reject multipart/form‑data requests that contain extended Content‑Disposition parameters (filename*, name*).
  • Add a middleware layer that strips or rejects RFC 2231/5987 extended parameters before the request reaches application logic.

Generated by OpenCVE AI on June 30, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vffw-93wf-4j4q python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
History

Tue, 30 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

threat_severity

Low


Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex python-multipart
Vendors & Products Kludex
Kludex python-multipart

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Title Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Weaknesses CWE-20
CWE-436
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Kludex Python-multipart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:08:07.690Z

Reserved: 2026-06-09T18:13:07.262Z

Link: CVE-2026-53537

cve-icon Vulnrichment

Updated: 2026-06-23T16:03:19.747Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-22T16:57:21Z

Links: CVE-2026-53537 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T14:00:06Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input

  • CWE-20

    Improper Input Validation

  • CWE-436

    Interpretation Conflict