Skip to main content

python-multipart EUVDEUVD-2026-38325

| CVE-2026-53540 LOW
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-15 https://github.com/Kludex/python-multipart GHSA-v9pg-7xvm-68hf
3.7
CVSS 3.1 · Vendor: https://github.com/Kludex/python-multipart

Severity by source

Vendor (https://github.com/Kludex/python-multipart) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

AC:H reflects the non-default deployment pattern required; A:L captures memory pressure rather than full service loss; C:N and I:N because no data is disclosed or modified.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/Kludex/python-multipart).

CVSS VectorVendor: https://github.com/Kludex/python-multipart

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 20:55 vuln.today
Analysis Generated
Jun 15, 2026 - 20:55 vuln.today

DescriptionCVE.org

Summary

parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.

Details

parse_form() reads the input stream in chunks, never reading more than the remaining Content-Length at a time. The per-chunk size is computed as min(content_length - bytes_read, chunk_size). The header value was parsed to an integer without checking its sign, so a Content-Length of -1 made this expression negative, and input_stream.read(-1) reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends.

Impact

This only affects code that calls parse_form() directly with a Content-Length header taken from attacker-controlled input and without normalizing a negative value first. No known package is affected:

  • Starlette and FastAPI drive MultipartParser directly from the ASGI receive() stream and do not call parse_form().
  • Known parse_form() consumers either do not forward Content-Length to it, recompute it from the already-read body, or run behind a layer (such as Werkzeug) that normalizes a negative Content-Length to 0.

The realistic exposure is limited to bespoke WSGI or http.server handlers that forward raw client headers into parse_form(). In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service.

Mitigation

Upgrade to version 0.0.31 or later, which rejects a negative Content-Length with a ValueError before reading the stream.

AnalysisAI

Memory exhaustion in python-multipart's parse_form() function allows a remote attacker to force unbounded body buffering by supplying a negative Content-Length header, degrading server availability under concurrent load. Affected deployments are narrowly scoped: only bespoke WSGI or http.server handlers that pass raw, unvalidated client-supplied Content-Length values directly into parse_form(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WSGI endpoint calling parse_form() with raw headers
Delivery
Craft POST request with Content-Length: -1 and large body
Exploit
Server parses negative header without sign check
Execution
input_stream.read(-1) buffers entire body in memory
Persist
Repeat concurrently to exhaust server memory
Impact
Availability degraded for legitimate users

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application calls python-multipart's parse_form() function AND supplies it a Content-Length value taken directly from the raw client-controlled HTTP header without prior sign normalization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) accurately reflects the limited real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a custom Python WSGI application that parses multipart form submissions by calling parse_form() with headers sourced directly from the incoming HTTP request. The attacker sends a high volume of concurrent POST requests each carrying a Content-Length: -1 header and a large streaming body; each request causes the server to buffer the entire body in memory in a single read rather than in fixed chunks, steadily consuming available RAM and degrading response times for legitimate users. …
Remediation Upgrade python-multipart to version 0.0.31 or later, which rejects a negative Content-Length with a ValueError before any stream read occurs; this is the definitive fix per the vendor advisory at https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38325 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy