Python-Multipart Library Exposes DoS Vulnerability in Form Data Parsing (CVE-2026-40347)

A critical denial-of-service vulnerability has been disclosed in the widely used `python-multipart` library, forcing a mandatory security update for thousands of Python applications. The flaw, tracked as CVE-2026-40347, resides in the library's core parsing logic for `multipart/form-data` requests. Attackers can exploit two inefficient parsing paths by submitting crafted requests with excessively large preamble or epilogue sections, potentially causing affected web servers to consume excessive resources and become unresponsive.

The vulnerability specifically impacts versions prior to 0.0.26 of the `python-multipart` package, a key dependency for Python web frameworks like FastAPI and Starlette that handle file uploads and complex form data. The security advisory, published by the maintainer Kludex, confirms the issue is exploitable with attacker-controlled input, making any public-facing endpoint using the vulnerable library a potential target for disruption. Automated dependency management bots, such as Renovate, are already flagging the update from version 0.0.22 to 0.0.26 as a high-priority security fix.

This disclosure places immediate pressure on development and DevOps teams to patch their dependencies. The risk is not confined to a single application but extends across the entire Python web ecosystem that relies on this library for parsing HTTP multipart data. Failure to apply the update leaves APIs and web services exposed to trivial DoS attacks that could degrade performance or cause outright service outages, underscoring the persistent security challenges in open-source software supply chains.