SB2026041499 - Excessive Iteration in python-multipart

Description

This security bulletin contains information about 1 security vulnerability.

1) Excessive Iteration (CVE-ID: CVE-2026-40347)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to excessive iteration in multipart/form-data parsing when processing crafted multipart/form-data requests with large preamble or epilogue sections. A remote attacker can send an oversized malformed multipart body to cause a denial of service.

The issue degrades availability by consuming excessive CPU time during request parsing and delaying legitimate requests, but it does not typically result in a complete denial of service for the entire application.

Remediation

Install update from vendor's website.

References

• https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj
• https://github.com/advisories/GHSA-mj87-hwqh-73pj