VYPR
← All advisories
Low severity3.7GHSA Advisory· Published Jun 15, 2026

python-multipart: Negative Content-Length in parse_form buffers the entire body in memory

CVE-2026-53540

Description

A negative Content-Length in parse_form() causes unbounded read, leading to memory buffering and potential availability degradation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A negative Content-Length in parse_form() causes unbounded read, leading to memory buffering and potential availability degradation.

Vulnerability

The parse_form() function in python-multipart did not validate the sign of the Content-Length header before using it to bound chunked reads of the request body. When a negative value such as -1 is provided, the per-chunk size calculation min(content_length - bytes_read, chunk_size) becomes negative, and input_stream.read(-1) reads the entire remaining stream until EOF instead of reading fixed-size chunks [1], [2]. This issue affects all versions prior to 0.0.31.

Exploitation

An attacker can send a crafted HTTP request with a negative Content-Length header to a server endpoint that directly calls parse_form() using raw, attacker-controlled header values. No authentication is required if the endpoint is publicly accessible. The server will then read the entire request body into memory in a single unbounded read, bypassing the intended chunked processing [1], [2].

Impact

The primary impact is resource exhaustion: under concurrent requests, the unbounded memory allocation can degrade server availability. The vulnerability does not provide code execution or information disclosure; it is limited to a memory-based denial of service condition. The realistic exposure is confined to bespoke WSGI or http.server handlers that forward raw client Content-Length values to parse_form() [1], [2].

Mitigation

Upgrade to version 0.0.31 or later, which rejects a negative Content-Length by raising a ValueError before reading the stream [1], [2]. No known popular packages (e.g., Starlette, FastAPI) are affected; they either do not call parse_form() or normalize the header beforehand. If upgrading is not immediately possible, ensure that any custom handler normalizes a negative Content-Length to 0 before passing it to parse_form() [1], [2].

References
  1. CVE-2026-53540 - GitHub Advisory Database
  2. Negative Content-Length in parse_form buffers the entire body in memory

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
c814948acf50

Reject negative `Content-Length` in `parse_form` (#297)

https://github.com/Kludex/python-multipartMarcelo TrylesinskiJun 4, 2026Fixed in 0.0.31via llm-release-walk
commit
2 files changed · +11 0
  • python_multipart/multipart.py+2 0 modified
    @@ -1900,6 +1900,8 @@ def parse_form(
     content_length: int | float | bytes | None = headers.get("Content-Length")
     if content_length is not None:
         content_length = int(content_length)
+        if content_length < 0:
+            raise ValueError("Content-Length must be non-negative")
     else:
         content_length = float("inf")
     bytes_read = 0
  • tests/test_multipart.py+9 0 modified
    @@ -1650,6 +1650,15 @@ def test_parse_form_invalid_chunk_size(self) -> None:
                 chunk_size=0,
             )
 
+    def test_parse_form_negative_content_length(self) -> None:
+        with self.assertRaisesRegex(ValueError, "Content-Length must be non-negative"):
+            parse_form(
+                {"Content-Type": b"application/octet-stream", "Content-Length": b"-1"},
+                BytesIO(b"123456789012345"),
+                lambda _: None,
+                lambda _: None,
+            )
+
 
 def suite() -> unittest.TestSuite:
     suite = unittest.TestSuite()

Vulnerability mechanics

Root cause

"Missing sign validation on the Content-Length header integer allows a negative value to turn a bounded chunked read into an unbounded read-until-EOF."

Attack vector

An attacker sends an HTTP request with a `Content-Length` header set to a negative value (e.g. `-1`) to a server that calls `parse_form()` directly with attacker-controlled headers. Because the header is parsed without sign validation [CWE-1284], the intended chunked read collapses into a single unbounded read that loads the entire request body into memory at once. Under concurrent requests this degrades availability, though the amount read is still bounded by what the client actually sends.

Affected code

The vulnerability is in `parse_form()` within `python_multipart/multipart.py`. The function parses the `Content-Length` header to an integer without checking its sign, so a negative value (e.g. `-1`) causes the bounded-read logic to compute a negative chunk size, which `input_stream.read()` interprets as read-until-EOF.

What the fix does

The patch adds a guard in `parse_form()` that raises `ValueError` when `content_length < 0` [patch_id=6110792]. This prevents the negative value from reaching the chunk-size computation, so the bounded-read logic always receives a non-negative bound. The fix is minimal and directly addresses the root cause — missing sign validation on the parsed integer.

Preconditions

  • configThe server must call parse_form() directly with a Content-Length header taken from attacker-controlled input.
  • inputThe Content-Length header must be set to a negative integer (e.g. -1).
  • configNo upstream middleware or framework normalizes the negative Content-Length before it reaches parse_form().

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.