Fedora Account System
Red Hat Associate
Red Hat Customer
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
https://www.cve.org/CVERecord?id=CVE-2026-53540 https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf The EPEL10 branch already has a version containing the fix. The EPEL9 branch is affected, but an incompatible update would be required, and backporting, while it may be straightforward if the surrounding code hasn’t diverged too much, seems like work that isn’t justified by the low severity of this CVE. I believe that the fix comprises https://github.com/Kludex/python-multipart/commit/6b837d47bc68826ed5cbbcb50c6c6a6093444494 and https://github.com/Kludex/python-multipart/commit/c814948acf509cef7881fa75c969969b19239bbf, and I would accept a reasonable PR backporting these to EPEL9, but I don’t plan to work on it myself.