Bug 2491460 (CVE-2026-53537) - CVE-2026-53537 multipart: Python-Multipart: Information disclosure via header parsing discrepancy
Summary: CVE-2026-53537 multipart: Python-Multipart: Information disclosure via header...
Keywords:
Status: NEW
Alias: CVE-2026-53537
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2494099 2494100
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-22 18:02 UTC by OSIDB Bzimport
Modified: 2026-07-08 12:09 UTC (History)
67 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-22 18:02:43 UTC
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 ยง4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.


Note You need to log in before you can comment on or make changes to this bug.