Impact
Python-Multipart is a streaming multipart parser for Python. In versions before 0.0.30, its header parsing logic incorrectly decodes RFC 2231/5987 extended parameters such as filename*=…, name*=…, and the continuation forms filename*0/filename*1, treating them as the plain filename or name fields. RFC 7578 §4.2 explicitly excludes these extended forms from multipart/form‑data, so components that do not reject them may misinterpret the header. This mismatch allows an attacker to smuggle a different field name or file name past upstream inspection, causing the backend to store or process the payload under an unintended key and potentially leaking or corrupting data.
Affected Systems
The flaw exists in Kludex’s python‑multipart package in every release before 0.0.30. Any Python application that relies on this parser to handle multipart/form‑data—such as file upload handlers, API endpoints, or services that delegate parsing to the library—is potentially impacted.
Risk and Exploitability
The CVSS score of 3.7 indicates moderate impact. The EPSS score is below 1%, implying a very low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. The most likely attack vector is an HTTP multipart/form‑data upload where the attacker controls the Content‑Disposition header. Exploitation requires that upstream systems, such as WAFs or proxies, do not forbid extended parameters; if they do, the attacker can still transmit a request that reaches the application with a manipulated field name or file name, which may lead to data leakage or integrity violations. Because the vulnerability is confined to parsing logic, the overall risk remains moderate but should be mitigated by applying the patch.
OpenCVE Enrichment
Github GHSA