CVE-2026-42561 - High Severity Vulnerability
Vulnerable Library - python_multipart-0.0.20-py3-none-any.whl
A streaming multipart parser for Python
Library home page: https://files.pythonhosted.org/packages/45/58/38b5afbc1a800eeea951b9285d3912613f2603bdf897a4ab0f4bd7f405fc/python_multipart-0.0.20-py3-none-any.whl
Path to dependency file: /OPENAPI-REST-API/swagger-client/python-flask/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260402123536_MTXLIM/python_EKDBTK/202604021249581/env/lib/python3.9/site-packages/python_multipart-0.0.20.dist-info
Dependency Hierarchy:
- connexion-3.3.0-py3-none-any.whl (Root Library)
- ❌ python_multipart-0.0.20-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Summary "python-multipart" has a denial of service vulnerability in multipart part header parsing. When parsing "multipart/form-data", "MultipartParser" previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. Impact Applications that parse attacker-controlled "multipart/form-data" with affected versions of "python-multipart" can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke "python-multipart" may have worker or event-loop delays while processing malicious upload requests. Details The affected parser states are "HEADER_FIELD_START", "HEADER_FIELD", "HEADER_VALUE_START", "HEADER_VALUE", and "HEADER_VALUE_ALMOST_DONE". The issue can be triggered by: - A multipart part with an oversized individual header value. - A multipart part with many repeated header lines or an unterminated header block. Both variants are addressed by enforcing default parser limits for maximum header count and maximum header size. Mitigation Upgrade to "python-multipart" "0.0.27" or later. If upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of "python-multipart" still parse multipart part headers without the default header count and header size limits.
Publish Date: 2026-05-08
URL: CVE-2026-42561
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pp6c-gr5w-3c5g
Release Date: 2026-05-07
Fix Resolution: python-multipart - 0.0.27,python-multipart - 0.0.27
Step up your Open Source Security Game with Mend here
CVE-2026-42561 - High Severity Vulnerability
A streaming multipart parser for Python
Library home page: https://files.pythonhosted.org/packages/45/58/38b5afbc1a800eeea951b9285d3912613f2603bdf897a4ab0f4bd7f405fc/python_multipart-0.0.20-py3-none-any.whl
Path to dependency file: /OPENAPI-REST-API/swagger-client/python-flask/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260402123536_MTXLIM/python_EKDBTK/202604021249581/env/lib/python3.9/site-packages/python_multipart-0.0.20.dist-info
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Summary "python-multipart" has a denial of service vulnerability in multipart part header parsing. When parsing "multipart/form-data", "MultipartParser" previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. Impact Applications that parse attacker-controlled "multipart/form-data" with affected versions of "python-multipart" can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke "python-multipart" may have worker or event-loop delays while processing malicious upload requests. Details The affected parser states are "HEADER_FIELD_START", "HEADER_FIELD", "HEADER_VALUE_START", "HEADER_VALUE", and "HEADER_VALUE_ALMOST_DONE". The issue can be triggered by: - A multipart part with an oversized individual header value. - A multipart part with many repeated header lines or an unterminated header block. Both variants are addressed by enforcing default parser limits for maximum header count and maximum header size. Mitigation Upgrade to "python-multipart" "0.0.27" or later. If upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of "python-multipart" still parse multipart part headers without the default header count and header size limits.
Publish Date: 2026-05-08
URL: CVE-2026-42561
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-pp6c-gr5w-3c5g
Release Date: 2026-05-07
Fix Resolution: python-multipart - 0.0.27,python-multipart - 0.0.27
Step up your Open Source Security Game with Mend here