CVE-2026-28356
Received Received - Intake
ReDoS Vulnerability in multipart.py Causes Denial of Service

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28356
EUVD
EUVD-2026-11607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
defnull multipart to 1.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28356 is a high-severity denial of service (DoS) vulnerability in the multipart Python package, which is used to parse multipart/form-data streams.

The vulnerability exists in the parse_options_header() function in multipart.py, which uses a regular expression with an ambiguous alternation. This causes exponential backtracking, a type of Regular Expression Denial of Service (ReDoS), when parsing specially crafted HTTP or multipart segment headers.

An attacker can exploit this by sending maliciously crafted requests that cause the parser to consume excessive CPU resources, significantly slowing down or blocking the handling of requests.

This issue affects all versions up to 1.3.0 and has been fixed in versions 1.2.2, 1.3.1, and 1.4.0-dev.

Impact Analysis

This vulnerability can be exploited remotely without any privileges or user interaction, making it relatively easy for attackers to launch.

Successful exploitation causes significant slowdowns or complete blocking of request handling threads in web applications that use the multipart package to parse HTTP request headers or multipart/form-data streams.

The impact is a denial of service (DoS), where legitimate users may be unable to access the affected web application due to resource exhaustion caused by malicious requests.

Compliance Impact

I don't know

Detection Guidance

This vulnerability causes exponential backtracking in the parse_options_header() function of the multipart Python package when parsing maliciously crafted HTTP or multipart segment headers. Detection can involve monitoring for unusually high CPU usage or slowdowns in web applications that use this library to parse HTTP request headers or multipart/form-data streams.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade the multipart Python package to version 1.2.2, 1.3.1, or 1.4.0-dev or later, where the issue has been fixed.

Avoid using vulnerable versions up to and including 1.3.0 in your applications, especially those parsing HTTP request headers or multipart/form-data streams.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28356. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart