Python-Multipart Denial-of-Service Vulnerability in Versions Prior to 0.0.26

A denial-of-service vulnerability has been identified in Python-Multipart, a streaming multipart parser for Python. This issue affects versions prior to 0.0.26 and arises when the parser processes crafted 'multipart/form-data' requests containing large preamble or epilogue sections. The vulnerability allows for excessive CPU consumption during request parsing, which can degrade the application's availability by slowing down the handling of legitimate requests.

Impact

Exploitation of this vulnerability leads to increased CPU usage during the parsing of malformed multipart bodies, which can disrupt the normal request-handling process. While this does not cause a complete denial-of-service for the entire application, it does reduce the capacity to handle requests and can delay responses to legitimate users.

Remediation

Users are advised to upgrade to version 0.0.26 or later, which addresses the vulnerability by improving how the parser handles leading CR/LF data and by discarding epilogue data immediately after the closing boundary.