CVE-2026-53540 in python-multipart
Summary
by MITRE • 06/22/2026
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/22/2026
The Python-Multipart library serves as a streaming multipart parser for handling HTTP request bodies containing multipart data, which is commonly used in file uploads and form submissions within web applications. This library processes incoming data in chunks to manage memory usage efficiently, particularly when dealing with large file transfers. The vulnerability affects versions prior to 0.0.31 where the parse_form() function fails to properly validate the Content-Length header before utilizing it for chunked reading operations. When a negative Content-Length value is encountered, the library's internal logic transforms the bounded read operation into an unbounded read until end-of-file, causing the entire request body to be loaded into memory at once rather than being processed in fixed-size chunks.
This security flaw represents a classic case of input validation failure that can lead to memory exhaustion and denial of service conditions. The vulnerability occurs because the library does not perform proper bounds checking on the Content-Length header value before using it to determine how much data to read in each chunk. When a negative value is provided, the system's chunked reading mechanism becomes ineffective, resulting in a single large memory allocation that can consume all available system resources. This behavior creates an opportunity for attackers to craft malicious requests with negative Content-Length headers to trigger resource exhaustion attacks against applications using vulnerable versions of the library.
The operational impact of this vulnerability extends beyond simple denial of service scenarios. Applications that rely on Python-Multipart for processing user uploads become susceptible to memory consumption attacks where malicious actors can cause excessive heap allocation and potentially crash the application or exhaust system resources. The vulnerability affects any web application or service that uses the parse_form() function with untrusted input, particularly those handling file uploads or form submissions from external sources. This type of vulnerability aligns with CWE-129, which covers improper validation of length fields, and can be categorized under ATT&CK technique T1499.3 for resource exhaustion attacks targeting memory consumption.
Mitigation strategies should focus on upgrading to version 0.0.31 or later where the Content-Length header validation has been implemented. Organizations should also implement additional safeguards such as request size limits at the web server level, monitoring for unusual memory usage patterns, and input sanitization routines that validate all HTTP headers before processing. The fix implemented in version 0.0.31 demonstrates proper defensive programming practices by ensuring that Content-Length values are validated before being used to control memory allocation during data processing operations. Security teams should conduct inventory checks to identify all systems using vulnerable versions of the library and implement automated patch management processes to prevent similar issues from arising in other dependencies.