CVE-2026-53540
Analyzed Analyzed - Analysis Complete

Python-Multipart Memory Exposure via Negative Content-Length

Vulnerability report for CVE-2026-53540, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-26
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fastapiexpert python-multipart to 0.0.31 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in python-multipart prior to version 0.0.31 primarily impacts availability by potentially causing memory exhaustion due to improper handling of the Content-Length header. There is no indication that this vulnerability affects confidentiality or integrity of data.

Since common standards and regulations like GDPR and HIPAA focus heavily on protecting personal data confidentiality, integrity, and privacy, this vulnerability does not directly impact compliance with these regulations.

However, degraded availability caused by memory exhaustion could indirectly affect service reliability, which may be a consideration under some regulatory frameworks, but this is not explicitly stated.

Executive Summary

The vulnerability in python-multipart versions prior to 0.0.31 occurs in the parse_form() function, which failed to validate the Content-Length header before using it to limit the size of chunks read from the request body.

If a negative Content-Length value was provided, the function would read the entire request body into memory at once instead of processing it in fixed-size chunks.

This behavior could lead to memory exhaustion and degraded availability under concurrent requests.

The issue is fixed in version 0.0.31, which rejects negative Content-Length values.

Impact Analysis

This vulnerability can cause memory exhaustion by loading the entire request body into memory at once when a negative Content-Length header is used.

Under concurrent requests, this can degrade the availability of the affected application, potentially slowing down or impairing its performance.

However, it does not cause a complete denial of service.

Detection Guidance

This vulnerability affects python-multipart versions prior to 0.0.31, specifically in the parse_form() function when handling a negative Content-Length header.

To detect if your system is vulnerable, you can check the installed version of python-multipart to see if it is older than 0.0.31.

  • Run the command: pip show python-multipart
  • Or check the version in your project's dependency files (e.g., requirements.txt or Pipfile.lock).

Additionally, to detect exploitation attempts, monitor incoming HTTP requests for negative Content-Length headers, which are unusual and indicative of this vulnerability being targeted.

  • Use network monitoring tools or web server logs to filter requests with Content-Length headers less than zero.
Mitigation Strategies

The recommended immediate mitigation is to upgrade the python-multipart library to version 0.0.31 or later, where the vulnerability is fixed.

Version 0.0.31 rejects negative Content-Length values, preventing the memory exhaustion issue.

If upgrading is not immediately possible, consider implementing input validation or filtering at the application or web server level to reject requests with negative Content-Length headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart