Bug 2495855 - CVE-2026-53540 python-python-multipart: Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory [epel-all]
Summary: CVE-2026-53540 python-python-multipart: Python-Multipart: Negative Content-Le...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: python-python-multipart
Version: epel10
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Ben Beasley
QA Contact:
URL:
Whiteboard: {"flaws": ["464df854-1566-42f7-97c9-9...
Depends On:
Blocks: CVE-2026-53540
TreeView+ depends on / blocked
 
Reported: 2026-07-01 08:49 UTC by jkelly
Modified: 2026-07-01 09:50 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-07-01 09:50:46 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description jkelly 2026-07-01 08:49:05 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.

Comment 1 Ben Beasley 2026-07-01 09:50:46 UTC
https://www.cve.org/CVERecord?id=CVE-2026-53540
https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf

The EPEL10 branch already has a version containing the fix.

The EPEL9 branch is affected, but an incompatible update would be required, and backporting, while it may be straightforward if the surrounding code hasn’t diverged too much, seems like work that isn’t justified by the low severity of this CVE. I believe that the fix comprises https://github.com/Kludex/python-multipart/commit/6b837d47bc68826ed5cbbcb50c6c6a6093444494 and https://github.com/Kludex/python-multipart/commit/c814948acf509cef7881fa75c969969b19239bbf, and I would accept a reasonable PR backporting these to EPEL9, but I don’t plan to work on it myself.


Note You need to log in before you can comment on or make changes to this bug.