Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
Published: 2026-06-22
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A negative Content-Length header causes python-multipart’s parse_form() to perform an unbounded read, loading the entire request body into memory in one operation rather than processing it in fixed‑size chunks. This excessive memory consumption can exhaust available RAM, leading the application or host to crash or become unresponsive. The flaw is a classic resource exhaustion vulnerability (CWE‑400) and may also be viewed as improper resource handling (CWE‑1284).

Affected Systems

Kludex python‑multipart versions earlier than 0.0.31 are affected. Any application or framework that depends on these older releases and forwards client requests to parse_form() is at risk.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity impact, while the EPSS score of < 1 % suggests that public exploitation is unlikely. It is not listed in the CISA KEV catalog. The likely attack vector is through the HTTP request header; an adversary can craft a request with a negative Content‑Length value and send it to a vulnerable service, causing the parser to read until EOF and consume large amounts of memory. Successful exploitation requires that the target application use an affected python‑multipart version and that the negative header reaches the parse_form() call without prior validation.

Generated by OpenCVE AI on July 12, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade python‑multipart to version 0.0.31 or later
  • Validate incoming request headers to reject negative Content‑Length values before invoking parse_form()
  • Keep all dependencies up to date and monitor security advisories for future patches

Generated by OpenCVE AI on July 12, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v9pg-7xvm-68hf python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
References
Metrics threat_severity

None

threat_severity

Low


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex python-multipart
Vendors & Products Kludex
Kludex python-multipart

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
Title Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Kludex Python-multipart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:21:55.932Z

Reserved: 2026-06-09T18:13:07.263Z

Link: CVE-2026-53540

cve-icon Vulnrichment

Updated: 2026-06-22T17:21:51.710Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-22T16:58:54Z

Links: CVE-2026-53540 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T21:30:16Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input

  • CWE-400

    Uncontrolled Resource Consumption