CVE-2026-28356
Received Received - Intake
ReDoS Vulnerability in multipart.py Causes Denial of Service

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-05-07
AI Q&A
2026-03-12
EPSS Evaluated
2026-05-05
NVD
CVE-2026-28356
EUVD
EUVD-2026-11607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
defnull multipart to 1.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-28356 is a high-severity denial of service (DoS) vulnerability in the multipart Python package, which is used to parse multipart/form-data streams.

The vulnerability exists in the parse_options_header() function in multipart.py, which uses a regular expression with an ambiguous alternation. This causes exponential backtracking, a type of Regular Expression Denial of Service (ReDoS), when parsing specially crafted HTTP or multipart segment headers.

An attacker can exploit this by sending maliciously crafted requests that cause the parser to consume excessive CPU resources, significantly slowing down or blocking the handling of requests.

This issue affects all versions up to 1.3.0 and has been fixed in versions 1.2.2, 1.3.1, and 1.4.0-dev.


How can this vulnerability impact me? :

This vulnerability can be exploited remotely without any privileges or user interaction, making it relatively easy for attackers to launch.

Successful exploitation causes significant slowdowns or complete blocking of request handling threads in web applications that use the multipart package to parse HTTP request headers or multipart/form-data streams.

The impact is a denial of service (DoS), where legitimate users may be unable to access the affected web application due to resource exhaustion caused by malicious requests.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes exponential backtracking in the parse_options_header() function of the multipart Python package when parsing maliciously crafted HTTP or multipart segment headers. Detection can involve monitoring for unusually high CPU usage or slowdowns in web applications that use this library to parse HTTP request headers or multipart/form-data streams.

Specific commands to detect this vulnerability are not provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the multipart Python package to version 1.2.2, 1.3.1, or 1.4.0-dev or later, where the issue has been fixed.

Avoid using vulnerable versions up to and including 1.3.0 in your applications, especially those parsing HTTP request headers or multipart/form-data streams.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart