CVE-2026-42561

NameCVE-2026-42561
DescriptionPython-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136702

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-multipart (PTS)bullseye0.0.5-2vulnerable
bookworm0.0.5-3vulnerable
trixie0.0.20-1.1~deb13u1vulnerable
forky0.0.22-1vulnerable
sid0.0.26-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-multipartsource(unstable)(unfixed)1136702

Notes

https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g
https://github.com/Kludex/python-multipart/pull/267
https://github.com/Kludex/python-multipart/commit/3e64f5f8caba0e5d391b0c1ad0f1c2edf9e8f911 (0.0.27)
Search for package or bug name: Reporting problems