Skip to content

chore(backend-deps): Update dependency python-multipart to v0.0.31 [SECURITY]#320

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-python-multipart-vulnerability
Open

chore(backend-deps): Update dependency python-multipart to v0.0.31 [SECURITY]#320
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-python-multipart-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
python-multipart (changelog) ==0.0.30==0.0.31 age confidence

python-multipart: Negative Content-Length in parse_form buffers the entire body in memory

CVE-2026-53540 / GHSA-v9pg-7xvm-68hf

More information

Details

Summary

parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.

Details

parse_form() reads the input stream in chunks, never reading more than the remaining Content-Length at a time. The per-chunk size is computed as min(content_length - bytes_read, chunk_size). The header value was parsed to an integer without checking its sign, so a Content-Length of -1 made this expression negative, and input_stream.read(-1) reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends.

Impact

This only affects code that calls parse_form() directly with a Content-Length header taken from attacker-controlled input and without normalizing a negative value first. No known package is affected:

  • Starlette and FastAPI drive MultipartParser directly from the ASGI receive() stream and do not call parse_form().
  • Known parse_form() consumers either do not forward Content-Length to it, recompute it from the already-read body, or run behind a layer (such as Werkzeug) that normalizes a negative Content-Length to 0.

The realistic exposure is limited to bespoke WSGI or http.server handlers that forward raw client headers into parse_form(). In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service.

Mitigation

Upgrade to version 0.0.31 or later, which rejects a negative Content-Length with a ValueError before reading the stream.

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

Kludex/python-multipart (python-multipart)

v0.0.31

Compare Source

  • Speed up multipart header parsing and callback dispatch #​295.
  • Bound header field name size before validating #​296.
  • Validate Content-Length is non-negative in parse_form #​297.

Configuration

📅 Schedule: (in timezone Africa/Johannesburg)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

Copy link
Copy Markdown
Contributor

👋 Thanks for your contribution!

🏷️ Auto-applied labels: backend, dependencies, size/XS, vulnerability

Labels determine which CI workflows run. They update automatically with new commits.

@renovate renovate Bot force-pushed the renovate/pypi-python-multipart-vulnerability branch from b1ce438 to 5ffcf3f Compare June 17, 2026 19:07
@github-actions github-actions Bot added size/XS and removed size/XS labels Jun 17, 2026
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants