CVE-2026-53540 - Low Severity Vulnerability
Vulnerable Library - python_multipart-0.0.20-py3-none-any.whl
A streaming multipart parser for Python
Library home page: https://files.pythonhosted.org/packages/45/58/38b5afbc1a800eeea951b9285d3912613f2603bdf897a4ab0f4bd7f405fc/python_multipart-0.0.20-py3-none-any.whl
Path to dependency file: /OPENAPI-REST-API/swagger-client/python-flask/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260402123536_MTXLIM/python_EKDBTK/202604021249581/env/lib/python3.9/site-packages/python_multipart-0.0.20.dist-info
Dependency Hierarchy:
- connexion-3.3.0-py3-none-any.whl (Root Library)
- ❌ python_multipart-0.0.20-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Summary "parse_form()" did not validate the "Content-Length" header before using it to bound its chunked read of the request body. A negative "Content-Length" turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. Details "parse_form()" reads the input stream in chunks, never reading more than the remaining "Content-Length" at a time. The per-chunk size is computed as "min(content_length - bytes_read, chunk_size)". The header value was parsed to an integer without checking its sign, so a "Content-Length" of "-1" made this expression negative, and "input_stream.read(-1)" reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends. Impact This only affects code that calls "parse_form()" directly with a "Content-Length" header taken from attacker-controlled input and without normalizing a negative value first. No known package is affected: * Starlette and FastAPI drive "MultipartParser" directly from the ASGI "receive()" stream and do not call "parse_form()". * Known "parse_form()" consumers either do not forward "Content-Length" to it, recompute it from the already-read body, or run behind a layer (such as Werkzeug) that normalizes a negative "Content-Length" to "0". The realistic exposure is limited to bespoke WSGI or "http.server" handlers that forward raw client headers into "parse_form()". In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service. Mitigation Upgrade to version "0.0.31" or later, which rejects a negative "Content-Length" with a "ValueError" before reading the stream.
Publish Date: 2026-06-15
URL: CVE-2026-53540
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v9pg-7xvm-68hf
Release Date: 2026-06-15
Fix Resolution: python-multipart - 0.0.31,python-multipart - 0.0.31
Step up your Open Source Security Game with Mend here
CVE-2026-53540 - Low Severity Vulnerability
A streaming multipart parser for Python
Library home page: https://files.pythonhosted.org/packages/45/58/38b5afbc1a800eeea951b9285d3912613f2603bdf897a4ab0f4bd7f405fc/python_multipart-0.0.20-py3-none-any.whl
Path to dependency file: /OPENAPI-REST-API/swagger-client/python-flask/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260402123536_MTXLIM/python_EKDBTK/202604021249581/env/lib/python3.9/site-packages/python_multipart-0.0.20.dist-info
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Summary "parse_form()" did not validate the "Content-Length" header before using it to bound its chunked read of the request body. A negative "Content-Length" turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. Details "parse_form()" reads the input stream in chunks, never reading more than the remaining "Content-Length" at a time. The per-chunk size is computed as "min(content_length - bytes_read, chunk_size)". The header value was parsed to an integer without checking its sign, so a "Content-Length" of "-1" made this expression negative, and "input_stream.read(-1)" reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends. Impact This only affects code that calls "parse_form()" directly with a "Content-Length" header taken from attacker-controlled input and without normalizing a negative value first. No known package is affected: * Starlette and FastAPI drive "MultipartParser" directly from the ASGI "receive()" stream and do not call "parse_form()". * Known "parse_form()" consumers either do not forward "Content-Length" to it, recompute it from the already-read body, or run behind a layer (such as Werkzeug) that normalizes a negative "Content-Length" to "0". The realistic exposure is limited to bespoke WSGI or "http.server" handlers that forward raw client headers into "parse_form()". In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service. Mitigation Upgrade to version "0.0.31" or later, which rejects a negative "Content-Length" with a "ValueError" before reading the stream.
Publish Date: 2026-06-15
URL: CVE-2026-53540
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-v9pg-7xvm-68hf
Release Date: 2026-06-15
Fix Resolution: python-multipart - 0.0.31,python-multipart - 0.0.31
Step up your Open Source Security Game with Mend here