CVE-2026-28356

Name of the Vulnerable Software and Affected Versions multipart versions prior to 1.2.2 multipart versions prior to 1.3.1 multipart versions prior to 1.4.0-dev

Description The parse options header() function within the multipart.py file utilizes a regular expression containing an ambiguous alternation. This can lead to exponential backtracking (ReDoS) when processing maliciously crafted HTTP or multipart segment headers. This issue can be exploited to launch denial of service (DoS) attacks against web applications that employ this library to parse request headers or multipart/form-data streams. ReDoS occurs when a regular expression engine takes an excessively long time to process a specific input due to backtracking. An ambiguous alternation in a regular expression allows multiple ways to match a portion of the input, causing the engine to explore numerous possibilities, leading to exponential time complexity in the worst-case scenario.

Recommendations Update to multipart version 1.2.2 or later. Update to multipart version 1.3.1 or later. Update to multipart version 1.4.0-dev or later.