CVE-2026-40347
denial of service vulnerability in python-multipart (PyPI)

denial of service No known exploit

What is CVE-2026-40347 About?

This is a denial of service vulnerability affecting multipart/form-data parsing due to inefficient handling of large preamble or epilogue sections. Attackers can craft requests with oversized malformed multipart bodies that consume excessive CPU time during parsing. This can degrade application availability, but typically doesn't result in a complete shutdown.

Affected Software

python-multipart <0.0.26

Technical Details

The denial of service vulnerability stems from two inefficient parsing paths for multipart/form-data requests. Firstly, before the initial multipart boundary, the parser inefficiently handles leading CR (carriage return) and LF (line feed) bytes while attempting to locate the first part. Secondly, after the closing boundary, the parser continues to process trailing epilogue data instead of immediately discarding it. In both scenarios, an attacker can craft oversized data in these preamble or epilogue sections. This forces the parser to spend excessive CPU cycles processing irrelevant data, causing parsing time to increase proportionally with the size of the crafted input. This leads to increased resource consumption and reduced capacity for handling legitimate requests.

What is the Impact of CVE-2026-40347?

Successful exploitation may allow attackers to consume excessive CPU resources, leading to reduced request-handling capacity, delayed responses, and degradation of service availability.

What is the Exploitability of CVE-2026-40347?

Exploitation is of low complexity and requires no authentication or special privileges. An attacker can send specially crafted multipart/form-data requests with large preamble or epilogue sections. This is a remote exploitation scenario. The main condition is the application's reliance on the vulnerable multipart parser. There are no complex prerequisites other than the ability to send HTTP requests to the target. The risk factor is amplified in applications that frequently process multipart/form-data and have limited resilience against resource exhaustion, making them susceptible to denial of service attacks through this vector.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-40347?

Available Upgrade Options

  • python-multipart
    • <0.0.26 → Upgrade to 0.0.26

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-40347?

Similar Vulnerabilities: CVE-2023-45133 , CVE-2020-13936 , CVE-2021-26291 , CVE-2021-36109 , CVE-2022-35805

All Rights reserved 2025
Privacy Policy