Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
Published: 2026-06-22
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A negative Content-Length header causes the parse_form function in python-multipart to perform an unbounded read, loading the entire request body into memory in a single operation. This can lead to excessive memory consumption and a crash of the application or the host, resulting in a denial‑of‑service condition for the affected service.

Affected Systems

The vulnerability applies to Kludex python‑multipart versions prior to 0.0.31. Any deployment using these earlier releases is susceptible; specific downstream frameworks that depend on this library without proper validation may also be impacted.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, and the EPSS score is unavailable, suggesting limited public exploitation data. It is not listed in the CISA KEV catalog. The likely attack vector is through any HTTP request that includes a negative Content‑Length header, which could be crafted by an external attacker controlling the request. Exploitation would require the attacker to send such a request to a service using an affected library version, leading to memory exhaustion and service disruption.

Generated by OpenCVE AI on June 22, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade python‑multipart to version 0.0.31 or later
  • Configure the HTTP stack to reject or sanitize negative Content‑Length headers before passing them to the parser
  • Monitor memory utilization of the application to detect abnormal spikes indicative of an exploitation attempt

Generated by OpenCVE AI on June 22, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v9pg-7xvm-68hf python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
Title Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:21:55.932Z

Reserved: 2026-06-09T18:13:07.263Z

Link: CVE-2026-53540

cve-icon Vulnrichment

Updated: 2026-06-22T17:21:51.710Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input