Impact
A negative Content-Length header causes python-multipart’s parse_form() to perform an unbounded read, loading the entire request body into memory in one operation rather than processing it in fixed‑size chunks. This excessive memory consumption can exhaust available RAM, leading the application or host to crash or become unresponsive. The flaw is a classic resource exhaustion vulnerability (CWE‑400) and may also be viewed as improper resource handling (CWE‑1284).
Affected Systems
Kludex python‑multipart versions earlier than 0.0.31 are affected. Any application or framework that depends on these older releases and forwards client requests to parse_form() is at risk.
Risk and Exploitability
The CVSS score of 3.7 indicates a low severity impact, while the EPSS score of < 1 % suggests that public exploitation is unlikely. It is not listed in the CISA KEV catalog. The likely attack vector is through the HTTP request header; an adversary can craft a request with a negative Content‑Length value and send it to a vulnerable service, causing the parser to read until EOF and consume large amounts of memory. Successful exploitation requires that the target application use an affected python‑multipart version and that the negative header reaches the parse_form() call without prior validation.
OpenCVE Enrichment
Github GHSA