Fluid Attacks Database

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	python-multipart	>=0 <0.0.31	0.0.31
debian 11	python-multipart	=0.0.17-1 \|\| =0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1 \|\| =0.0.5-2 \|\| =0.0.5-3 \|\| =0.0.6-1 \|\| =0.0.9-1	-
debian 12	python-multipart	=0.0.17-1 \|\| =0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1 \|\| =0.0.5-3 \|\| =0.0.6-1 \|\| =0.0.9-1	-
debian 13	python-multipart	=0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1	-
debian 14	python-multipart	=0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1	-

Aliases

1. CVE-2026-535402. NVD-2026-535403. OSV-2026-535404. OSV-DEBIAN-2026-535405. GHSA-v9pg-7xvm-68hf6. GCVE-2026-535407. SECURITY-TRACKER-CVE-2026-53540

References

1. https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf