VYPR

Python Multipart

by Kludex

Source repositories

CVEs (7)

  • CVE-2024-53981HigDec 2, 2024
    risk 0.42cvss 7.5epss 0.01

    python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time,…

  • CVE-2026-53539higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary When parsing `application/x-www-form-urlencoded` bodies, `QuerystringParser` located the field separator with a two step lookup: it first scanned the entire remaining buffer for `&`, and only when no `&` existed anywhere ahead did it fall back to scanning for `;`.…

  • CVE-2026-53540lowJun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary `parse_form()` did not validate the `Content-Length` header before using it to bound its chunked read of the request body. A negative `Content-Length` turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead…

  • CVE-2026-53538lowJun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary `QuerystringParser` treated `;` as a field separator in `application/x-www-form-urlencoded` bodies, in addition to `&`. The [WHATWG URL standard](https://url.spec.whatwg.org/#urlencoded-parsing), modern browsers, and Python's `urllib.parse` (since the CVE-2021-23336…

  • CVE-2026-53537lowJun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary `parse_options_header` parsed `Content-Disposition` (and `Content-Type`) headers with [`email.message.Message`](https://docs.python.org/3/library/email.compat32-message.html#email.message.Message), which transparently applies [RFC…

  • CVE-2026-24486Jan 27, 2026
    risk 0.00cvss epss 0.02

    Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on…

  • CVE-2024-24762Feb 5, 2024
    risk 0.00cvss epss 0.02

    `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the…