python-multipart Parsing Flaw Enables Denial-of-Service via Oversized Multipart Bodies

A denial of service vulnerability has been identified in python-multipart, a widely used Python library for parsing multipart/form-data requests. The flaw, tracked as CVE-2026-40347, affects versions up to and including 0.0.20, with a patched release available in version 0.0.26. The vulnerability stems from inefficient parsing logic that can be exploited through specially crafted requests containing large preamble or epilogue sections.

The vulnerability exposes two distinct parsing weaknesses. First, when searching for the start of the first multipart section, the parser handles leading CR and LF bytes inefficiently. Second, after processing the closing boundary, the parser continues handling trailing epilogue data rather than discarding it immediately. Both paths allow parsing time to grow proportionally with the size of attacker-controlled data inserted before the first boundary or after the closing boundary. An attacker can exploit this by sending oversized malformed multipart bodies, causing excessive resource consumption on the target service.

The python-multipart library serves as a core dependency for major Python web frameworks including Starlette, FastAPI, and likely other ASGI-based applications. This widespread adoption means the vulnerability carries elevated risk for any deployment relying on form file uploads or API endpoints handling multipart data. Organizations using affected versions should prioritize updating to 0.0.26 or later. Given that severity remains unclassified in available records, the practical impact will depend on specific deployment configurations and how exposed affected endpoints are to untrusted input. Runtime monitoring for abnormal parsing times on multipart endpoints may help detect active exploitation attempts until patches are applied.