Fluid Attacks Database

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	python-multipart	>=0 <0.0.27	0.0.27
debian 11	python-multipart	=0.0.17-1 \|\| =0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1 \|\| =0.0.5-2 \|\| =0.0.5-3 \|\| =0.0.6-1 \|\| =0.0.9-1	-
debian 12	python-multipart	=0.0.17-1 \|\| =0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1 \|\| =0.0.5-3 \|\| =0.0.6-1 \|\| =0.0.9-1	-
debian 13	python-multipart	=0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1	-
debian 14	python-multipart	=0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1	-

Aliases

1. CVE-2026-425612. NVD-2026-425613. OSV-2026-425614. OSV-DEBIAN-2026-425615. GHSA-pp6c-gr5w-3c5g6. GCVE-2026-425617. SECURITY-TRACKER-CVE-2026-42561

References

1. https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g