CVE-2026-53540
Received Received - Intake
Python-Multipart Memory Exposure via Negative Content-Length

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-53540
EUVD
EUVD-2026-38325
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kludex python-multipart to 0.0.31 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in python-multipart versions prior to 0.0.31 occurs in the parse_form() function, which failed to validate the Content-Length header before using it to limit the size of chunks read from the request body.

If a negative Content-Length value was provided, the function would read the entire request body into memory at once instead of processing it in fixed-size chunks.

This behavior could lead to memory exhaustion and degraded availability under concurrent requests.

The issue is fixed in version 0.0.31, which rejects negative Content-Length values.

Impact Analysis

This vulnerability can cause memory exhaustion by loading the entire request body into memory at once when a negative Content-Length header is used.

Under concurrent requests, this can degrade the availability of the affected application, potentially slowing down or impairing its performance.

However, it does not cause a complete denial of service.

Detection Guidance

This vulnerability affects python-multipart versions prior to 0.0.31, specifically in the parse_form() function when handling a negative Content-Length header.

To detect if your system is vulnerable, you can check the installed version of python-multipart to see if it is older than 0.0.31.

  • Run the command: pip show python-multipart
  • Or check the version in your project's dependency files (e.g., requirements.txt or Pipfile.lock).

Additionally, to detect exploitation attempts, monitor incoming HTTP requests for negative Content-Length headers, which are unusual and indicative of this vulnerability being targeted.

  • Use network monitoring tools or web server logs to filter requests with Content-Length headers less than zero.
Mitigation Strategies

The recommended immediate mitigation is to upgrade the python-multipart library to version 0.0.31 or later, where the vulnerability is fixed.

Version 0.0.31 rejects negative Content-Length values, preventing the memory exhaustion issue.

If upgrading is not immediately possible, consider implementing input validation or filtering at the application or web server level to reject requests with negative Content-Length headers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart