GHSA-pp6c-gr5w-3c5g

Suggest an improvement
Source
https://github.com/advisories/GHSA-pp6c-gr5w-3c5g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pp6c-gr5w-3c5g/GHSA-pp6c-gr5w-3c5g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pp6c-gr5w-3c5g
Aliases
  • CVE-2026-42561
Downstream
Related
Published
2026-05-06T21:56:14Z
Modified
2026-05-14T20:51:15.885660Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
python-multipart has Denial of Service via unbounded multipart part headers
Details

Summary

python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion.

Impact

Applications that parse attacker-controlled multipart/form-data with affected versions of python-multipart can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke python-multipart may have worker or event-loop delays while processing malicious upload requests.

Details

The affected parser states are HEADER_FIELD_START, HEADER_FIELD, HEADER_VALUE_START, HEADER_VALUE, and HEADER_VALUE_ALMOST_DONE. The issue can be triggered by:

  • A multipart part with an oversized individual header value.
  • A multipart part with many repeated header lines or an unterminated header block.

Both variants are addressed by enforcing default parser limits for maximum header count and maximum header size.

Mitigation

Upgrade to python-multipart 0.0.27 or later.

If upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of python-multipart still parse multipart part headers without the default header count and header size limits.

Database specific 
{
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:56:14Z",
    "nvd_published_at": "2026-05-13T21:16:47Z"
}
References

Affected packages

PyPI / python-multipart

Package

Name
python-multipart
View open source insights on deps.dev
Purl
pkg:pypi/python-multipart

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.27

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pp6c-gr5w-3c5g/GHSA-pp6c-gr5w-3c5g.json"