Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Published: 2026-06-22
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Python‑Multipart, a Python streaming multipart parser, incorrectly handles RFC 2231/5987 extended parameters such as filename*=…, name*=…, and the continuation forms filename*0/filename*1 when parsing Content‑Disposition and Content‑Type headers. The canonical parameter (filename or name) is overridden by the extended form, which is explicitly forbidden for multipart/form‑data by RFC 7578 §4.2. Consequently an attacker can craft a multipart request that delivers a field name or filename to the backend that differs from what upstream components, such as web application fires, log or filter, expect. This mismatch can allow sensitive data to bypass validation or trigger unintended processing paths.

Affected Systems

The vulnerability exists in Kludex’s python‑multipart package in all releases before 0.0.30. Any Python application that uses python‑multipart for parsing multipart/form‑data—e.g., file upload handlers, API endpoints, or services that rely on the library’s parsing logic—is potentially impacted.

Risk and Exploitability

The CVSS score of 3.7 reflects the moderate impact of this issue. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an HTTP multipart/form‑data upload where the attacker controls the Content‑Disposition header. Exploitation requires crafting a request with an RFC 2231/5987 encoded parameter that upstream filters do not reject, allowing the attacker to smuggle a different field name or filename to the backend. Once the backend receives the tampered metadata, it may process or store the payload under an unintended field, potentially leading to data leakage or integrity violations. Because the problem is limited to parsing logic, the overall risk remains moderate, but applying the available fix removes the parsing flaw entirely.

Generated by OpenCVE AI on June 22, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade python‑multipart to version 0.0.30 or later to apply the official fix.
  • Configure your web server or reverse proxy to reject multipart/form‑data requests that contain extended Content‑Disposition parameters (filename*, name*) so that upstream components cannot exploit the smuggling vector.
  • If an immediate upgrade is not feasible, add a middleware layer that normalizes multipart headers by stripping or rejecting RFC 2231/5987 extended parameters before they reach the application logic.

Generated by OpenCVE AI on June 22, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vffw-93wf-4j4q python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Title Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Weaknesses CWE-20
CWE-436
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T16:57:21.496Z

Reserved: 2026-06-09T18:13:07.262Z

Link: CVE-2026-53537

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T19:00:14Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-436

    Interpretation Conflict