Bug 2477309 (CVE-2026-42561)

Summary: CVE-2026-42561 python-multipart: python-multipart: Denial of Service via excessive multipart part headers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alinfoot, anpicker, anthomas, aprice, bbrownin, bparees, caswilli, dfreiber, drow, dschmidt, dtrifiro, ehelms, erezende, ggainey, hasun, ilpinto, jburrell, jdobes, jfula, jkoehler, jlanda, jowilson, jpasqual, jsamir, juwatts, jwong, kaycoth, kshier, lphiri, ltomasbo, mbarnett, mhayden, mhulan, nmoumoul, nyancey, oezr, omaciel, ometelka, orabin, osousa, pcreech, prwatson, ptisnovs, rbryant, rchan, rjohnson, sdoran, simaishi, smallamp, smcdonal, stcannon, syedriko, teagle, tmalecek, ttakamiy, vkumar, weaton, xdharmai, yguenane, ykashtan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in python-multipart. A remote attacker can exploit this denial of service (DoS) vulnerability by sending a specially crafted request with an excessive number of part headers or a single very large header value during multipart/form-data parsing. This can lead to excessive CPU utilization, resulting in a denial of service for the affected system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-13 22:01:28 UTC
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.