EXECUTIVE SUMMARY:
CVE-2026-42561 with a CVSS score of 7.5 is a denial of service vulnerability in the python-multipart package, specifically affecting versions less than 0.0.27, which can be exploited by an attacker to cause CPU exhaustion in applications that parse multipart/form-data requests. This vulnerability occurs when the MultipartParser fails to limit the number of part headers or the size of an individual part header, allowing an attacker to send a request with either many repeated headers or a single very large header value, requiring network access to the affected application. By exploiting this vulnerability, an attacker gains the capability to disrupt service availability, potentially causing delays or rejections of requests. The business impact of this vulnerability is significant, as it can lead to service unavailability, decreased productivity, and potential financial losses. The exploitation of this vulnerability requires that the attacker has the ability to send malicious multipart/form-data requests to the affected application, and that the application is using a version of python-multipart that is less than 0.0.27, with no specific prerequisites or conditions required for exploitation beyond the ability to send crafted requests to the vulnerable application.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42561 with a CVSS score of 7.5 is a denial of service vulnerability in the python-multipart package, specifically affecting versions less than 0.0.27, which can be exploited by an attacker to cause CPU exhaustion in applications that parse multipart/form-data requests. This vulnerability occurs when the MultipartParser fails to limit the number of part headers or the size of an individual part header, allowing an attacker to send a request with either many repeated headers or a single very large header value, requiring network access to the affected application. By exploiting this vulnerability, an attacker gains the capability to disrupt service availability, potentially causing delays or rejections of requests. The business impact of this vulnerability is significant, as it can lead to service unavailability, decreased productivity, and potential financial losses. The exploitation of this vulnerability requires that the attacker has the ability to send malicious multipart/form-data requests to the affected application, and that the application is using a version of python-multipart that is less than 0.0.27, with no specific prerequisites or conditions required for exploitation beyond the ability to send crafted requests to the vulnerable application.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update python-multipart to version 0.0.27.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-pp6c-gr5w-3c5g