CVE-2026-24486: Path Traversal Flaw in python-multipart Exposes Systems to Arbitrary File Write

A Path Traversal vulnerability has been identified in python-multipart versions up to 0.0.20, enabling attackers to write uploaded files to arbitrary filesystem locations under specific non-default configuration conditions. The flaw, catalogued as CVE-2026-24486, resides in how the library handles file path construction when the `UPLOAD_DIR` setting is active alongside `UPLOAD_KEEP_FILENAME=True`. The vulnerability carries an unknown severity rating, with the patched version listed as 0.0.22.

The core issue stems from the use of `os.path.join()` when constructing file paths for uploaded content. The function's behavior causes path components preceding a filename prefixed with a forward slash to be discarded entirely. For instance, `os.path.join("/upload/dir", "/etc/malicious")` resolves to `/etc/malicious` rather than a path within the intended upload directory. This allows a malicious actor to craft filenames containing leading slashes—such as `../../etc/malicious` or `/etc/malicious`—to bypass the intended upload directory and write files to arbitrary locations on the server. The vulnerable configuration appears in `requirements/development.txt`, suggesting exposure within development environments.

Applications relying on python-multipart with the affected configuration face risk of arbitrary file write, which could enable remote code execution, configuration tampering, or supply chain compromise depending on the target system's permissions and architecture. Users of the library are advised to upgrade to version 0.0.22 immediately and audit any deployments using `UPLOAD_KEEP_FILENAME=True` to determine potential exposure. Given the library's role in handling HTTP multipart file uploads—a common requirement for web frameworks and APIs—the vulnerability carries broad practical implications across Python-based internet-facing services.