chore(backend-deps): Update dependency python-multipart to v0.0.31 [SECURITY]#320
Open
renovate[bot] wants to merge 1 commit into
Open
chore(backend-deps): Update dependency python-multipart to v0.0.31 [SECURITY]#320renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
|
👋 Thanks for your contribution! 🏷️ Auto-applied labels: Labels determine which CI workflows run. They update automatically with new commits. |
b1ce438 to
5ffcf3f
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR contains the following updates:
==0.0.30→==0.0.31python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
CVE-2026-53540 / GHSA-v9pg-7xvm-68hf
More information
Details
Summary
parse_form()did not validate theContent-Lengthheader before using it to bound its chunked read of the request body. A negativeContent-Lengthturned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.Details
parse_form()reads the input stream in chunks, never reading more than the remainingContent-Lengthat a time. The per-chunk size is computed asmin(content_length - bytes_read, chunk_size). The header value was parsed to an integer without checking its sign, so aContent-Lengthof-1made this expression negative, andinput_stream.read(-1)reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends.Impact
This only affects code that calls
parse_form()directly with aContent-Lengthheader taken from attacker-controlled input and without normalizing a negative value first. No known package is affected:MultipartParserdirectly from the ASGIreceive()stream and do not callparse_form().parse_form()consumers either do not forwardContent-Lengthto it, recompute it from the already-read body, or run behind a layer (such as Werkzeug) that normalizes a negativeContent-Lengthto0.The realistic exposure is limited to bespoke WSGI or
http.serverhandlers that forward raw client headers intoparse_form(). In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service.Mitigation
Upgrade to version
0.0.31or later, which rejects a negativeContent-Lengthwith aValueErrorbefore reading the stream.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
Kludex/python-multipart (python-multipart)
v0.0.31Compare Source
Content-Lengthis non-negative inparse_form#297.Configuration
📅 Schedule: (in timezone Africa/Johannesburg)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.