#1136702 python-multipart: CVE-2026-42561

Package:
src:python-multipart
Source:
src:python-multipart
Submitter:
Salvatore Bonaccorso
Date:
2026-05-21 18:23:03 UTC
Severity:
normal
Tags:
#1136702#5
Date:
2026-05-14 21:33:05 UTC
From:
To:
Hi,

The following vulnerability was published for python-multipart.

CVE-2026-42561[0]:
| Python-Multipart is a streaming multipart parser for Python. Prior
| to 0.0.27, python-multipart has a denial of service vulnerability in
| multipart part header parsing. When parsing multipart/form-data,
| MultipartParser previously had no limit on the number of part
| headers or the size of an individual part header. An attacker could
| send a request with either many repeated headers without terminating
| the header block or a single very large header value, causing
| excessive CPU work before request rejection or completion. This
| vulnerability is fixed in 0.0.27.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42561
https://www.cve.org/CVERecord?id=CVE-2026-42561
[1] https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g
[2] https://github.com/Kludex/python-multipart/pull/267
[3] https://github.com/Kludex/python-multipart/commit/3e64f5f8caba0e5d391b0c1ad0f1c2edf9e8f911

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore