python-multipart CVE-2026-40347: DoS Vulnerability Forces Emergency Update Across FastAPI and Starlette Ecosystem

A critical denial of service vulnerability has been identified in python-multipart, a widely deployed form parsing library central to the FastAPI and Starlette Python web frameworks. The flaw, tracked as CVE-2026-40347 and catalogued as GHSA-mj87-hwqh-73pj, allows attackers to trigger service disruption by submitting crafted multipart requests containing abnormally large preamble or epilogue data. The vulnerability affects versions prior to 0.0.26.

The security advisory, disclosed via GitHub's coordinated vulnerability disclosure program, prompted an emergency dependency update from version 0.0.22 to 0.0.26. Python-multipart serves as a core dependency for FastAPI's request parsing and Starlette's request handling infrastructure, meaning any Python web application built on these frameworks that processes multipart form data is potentially exposed. The attack vector requires no authentication—only the ability to send HTTP requests to a target endpoint that parses multipart form uploads.

Organizations running affected python-multipart versions face immediate pressure to apply the patch. Failure to update leaves applications vulnerable to resource exhaustion attacks, where specially crafted requests could consume excessive server memory or CPU, rendering services unavailable. Security teams should audit their dependency trees for python-multipart usage, verify current installed versions, and prioritize patching any instances below 0.0.26. Given the library's deep integration into FastAPI's ecosystem, this vulnerability has potential downstream implications for any project handling file uploads, form submissions, or API request parsing.