Python-Multipart Denial-of-Service Vulnerability in Header Parsing

A denial-of-service vulnerability has been identified in Python-Multipart versions prior to 0.0.27. The issue arises in the multipart part header parsing of the library, which is a streaming multipart parser for Python. The vulnerability allows an attacker to cause excessive CPU usage by sending requests with many repeated headers that do not terminate the header block, or by including a single very large header value. This unbounded header parsing can lead to significant performance degradation before the request is either rejected or completed.

Impact

Exploitation of this vulnerability can cause CPU exhaustion in applications that parse multipart/form-data with affected versions of Python-Multipart. This can lead to delays in processing requests, particularly in ASGI applications using frameworks like Starlette or FastAPI, where it can disrupt worker or event-loop performance by slowing down the handling of malicious upload requests.

Remediation

Users are advised to upgrade to Python-Multipart version 0.0.27 or later. If an immediate upgrade is not possible, request body size limits can be enforced at the server, proxy, or framework level to mitigate exposure, although this does not fully address the vulnerability.