CVE-2026-42561

Name of the Vulnerable Software and Affected Versions python-multipart versions prior to 0.0.27

Description A denial of service issue exists in the multipart part header parsing of the MultipartParser when processing multipart/form-data. The parser lacked limits on the number of part headers and the size of individual part headers. An attacker could cause excessive CPU work, leading to CPU exhaustion and potential worker or event-loop delays in ASGI applications using frameworks like Starlette or FastAPI, by sending a request with a single very large header value or many repeated headers without terminating the header block. The affected parser states include HEADER FIELD START, HEADER FIELD, HEADER VALUE START, HEADER VALUE, and HEADER VALUE ALMOST DONE.

Recommendations Update to version 0.0.27 or later. Enforce request body size limits at the server, proxy, or framework layer to reduce exposure.