Bug 2495855

Summary: CVE-2026-53540 python-python-multipart: Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory [epel-all]
Product: [Fedora] Fedora EPEL Reporter: jkelly <jkelly>
Component: python-python-multipartAssignee: Ben Beasley <code>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: epel10CC: code, python-packagers-sig
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["464df854-1566-42f7-97c9-92e41ad757e5"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-07-01 09:50:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2491443    

Description jkelly 2026-07-01 08:49:05 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.

Comment 1 Ben Beasley 2026-07-01 09:50:46 UTC
https://www.cve.org/CVERecord?id=CVE-2026-53540
https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf

The EPEL10 branch already has a version containing the fix.

The EPEL9 branch is affected, but an incompatible update would be required, and backporting, while it may be straightforward if the surrounding code hasn’t diverged too much, seems like work that isn’t justified by the low severity of this CVE. I believe that the fix comprises https://github.com/Kludex/python-multipart/commit/6b837d47bc68826ed5cbbcb50c6c6a6093444494 and https://github.com/Kludex/python-multipart/commit/c814948acf509cef7881fa75c969969b19239bbf, and I would accept a reasonable PR backporting these to EPEL9, but I don’t plan to work on it myself.