GHSA-wp53-j4wj-2cfg

Source

https://github.com/advisories/GHSA-wp53-j4wj-2cfg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-wp53-j4wj-2cfg/GHSA-wp53-j4wj-2cfg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wp53-j4wj-2cfg

Aliases

CVE-2026-24486

Related

CGA-5938-35v6-j952

Published

2026-01-26T23:28:05Z

Modified

2026-01-29T03:37:32.690081Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator

Summary

Python-Multipart has Arbitrary File Write via Non-Default Configuration

Details

Summary

A Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.

Details

When UPLOAD_DIR is set and UPLOAD_KEEP_FILENAME is True, the library constructs the file path using os.path.join(file_dir, fname). Due to the behavior of os.path.join(), if the filename begins with a /, all preceding path components are discarded:

os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"

This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.

Affected Configuration

Projects are only affected if all of the following are true:
- UPLOAD_DIR is set - UPLOAD_KEEP_FILENAME is set to True - The uploaded file exceeds MAX_MEMORY_FILE_SIZE (triggering a flush to disk)

The default configuration is not vulnerable.

Impact

Arbitrary file write to attacker-controlled paths on the filesystem.

Mitigation

Upgrade to version 0.0.22, or avoid using UPLOAD_KEEP_FILENAME=True in project configurations.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-01-27T01:16:02Z",
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T23:28:05Z"
}

References

Affected packages

PyPI / python-multipart

Package

Name: python-multipart; View open source insights on deps.dev
Purl: pkg:pypi/python-multipart

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.22

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.15

0.0.16

0.0.17

0.0.18

0.0.19

0.0.20

0.0.21

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-wp53-j4wj-2cfg/GHSA-wp53-j4wj-2cfg.json"