chore(deps): update dependency python-multipart to v0.0.27 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
python-multipart (changelog)	==0.0.22 → ==0.0.27

---

python-multipart affected by Denial of Service via large multipart preamble or epilogue data

CVE-2026-40347 / GHSA-mj87-hwqh-73pj

More information

Details

Summary

A denial of service vulnerability exists when parsing crafted multipart/form-data requests with large preamble or epilogue sections.

Details

Two inefficient multipart parsing paths could be abused with attacker-controlled input.

Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.

Impact

An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.

Mitigation

Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj
• https://github.com/Kludex/python-multipart/releases/tag/0.0.26
• https://nvd.nist.gov/vuln/detail/CVE-2026-40347
• https://github.com/advisories/GHSA-mj87-hwqh-73pj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

python-multipart has Denial of Service via unbounded multipart part headers

CVE-2026-42561 / GHSA-pp6c-gr5w-3c5g

More information

Details

Summary

python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion.

Impact

Applications that parse attacker-controlled multipart/form-data with affected versions of python-multipart can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke python-multipart may have worker or event-loop delays while processing malicious upload requests.

Details

The affected parser states are HEADER_FIELD_START, HEADER_FIELD, HEADER_VALUE_START, HEADER_VALUE, and HEADER_VALUE_ALMOST_DONE. The issue can be triggered by:

• A multipart part with an oversized individual header value.
• A multipart part with many repeated header lines or an unterminated header block.

Both variants are addressed by enforcing default parser limits for maximum header count and maximum header size.

Mitigation

Upgrade to python-multipart 0.0.27 or later.

If upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of python-multipart still parse multipart part headers without the default header count and header size limits.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g
• https://nvd.nist.gov/vuln/detail/CVE-2026-42561
• https://github.com/advisories/GHSA-pp6c-gr5w-3c5g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

python-multipart affected by Denial of Service via large multipart preamble or epilogue data

CVE-2026-40347 / GHSA-mj87-hwqh-73pj

More information

Details

Summary

A denial of service vulnerability exists when parsing crafted multipart/form-data requests with large preamble or epilogue sections.

Details

Two inefficient multipart parsing paths could be abused with attacker-controlled input.

Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.

Impact

An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.

Mitigation

Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj
• https://nvd.nist.gov/vuln/detail/CVE-2026-40347
• https://github.com/Kludex/python-multipart
• https://github.com/Kludex/python-multipart/releases/tag/0.0.26

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

python-multipart has Denial of Service via unbounded multipart part headers

CVE-2026-42561 / GHSA-pp6c-gr5w-3c5g

More information

Details

Summary

python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion.

Impact

Applications that parse attacker-controlled multipart/form-data with affected versions of python-multipart can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke python-multipart may have worker or event-loop delays while processing malicious upload requests.

Details

The affected parser states are HEADER_FIELD_START, HEADER_FIELD, HEADER_VALUE_START, HEADER_VALUE, and HEADER_VALUE_ALMOST_DONE. The issue can be triggered by:

• A multipart part with an oversized individual header value.
• A multipart part with many repeated header lines or an unterminated header block.

Both variants are addressed by enforcing default parser limits for maximum header count and maximum header size.

Mitigation

Upgrade to python-multipart 0.0.27 or later.

If upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of python-multipart still parse multipart part headers without the default header count and header size limits.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g
• https://nvd.nist.gov/vuln/detail/CVE-2026-42561
• https://github.com/Kludex/python-multipart

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Kludex/python-multipart (python-multipart)

v0.0.27

Compare Source

• Add multipart header limits #​267.
• Pass parse offsets via constructors #​268.

v0.0.26

Compare Source

• Skip preamble before the first multipart boundary more efficiently #​262.
• Silently discard epilogue data after the closing multipart boundary #​259.

v0.0.25

Compare Source

• Add MIME content type info to File #​143.
• Handle CTE values case-insensitively #​258.
• Remove custom FormParser classes #​257.
• Add UPLOAD_DELETE_TMP to FormParser config #​254.
• Emit field_end for trailing bare field names on finalize #​230.
• Handle multipart headers case-insensitively #​252.
• Apply Apache-2.0 properly #​247.

v0.0.24

Compare Source

• Validate chunk_size in parse_form() #​244.

v0.0.23

Compare Source

• Remove unused trust_x_headers parameter and X-File-Name fallback #​196.
• Return processed length from QuerystringParser._internal_write #​229.
• Cleanup metadata dunders from __init__.py #​227.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.