CVE-2026-28356

HIGH

multipart <1.2.2/1.3.1/1.4.0-dev - DoS

Title source: llm

Description

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

References (1)

[Vendor Advisory] https://github.com/defnull/multipart/security/advisories/GHSA-p2m9-wcp5-6qw3

Scores

CVSS v3 7.5

EPSS 0.0082

EPSS Percentile 74.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333

Status published

Published Mar 12, 2026

Tracked Since Mar 13, 2026