Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Multipart library vulnerable to slow-down attacks on request headers
CVE-2026-28356
GHSA-p2m9-wcp5-6qw3
Summary
A malicious request can cause a web application to slow down or become unresponsive. This affects web applications using the multipart library to parse request headers or file uploads. Update to version 1.2.2, 1.3.1, or 1.4.0-dev to fix this issue.
What to do
- Update multipart to version 1.3.1.
- Update multipart to version 1.2.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | multipart | > 1.3.0 , <= 1.3.1 | 1.3.1 |
| – | multipart | <= 1.2.2 | 1.2.2 |
Original title
multipart vulnerable to ReDoS in `parse_options_header()`
Original description
## Summary
The `parse_options_header()` function in `multipart.py` uses a regular expression with an *ambiguous alternation*, which can cause *exponential backtracking (ReDoS)* when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for **denial of service (DoS)** attacks against web applications using this library to parse request headers or `multipart/form-data` streams.
## Impact
Any WSGI or ASGI application using `multipart.parse_form_data()` directly or indirectly (e.g. while parsing `multipart/form-data` streams) is vulnerable. The slow-down is significant enough to block request handling threads for multiple seconds per request.
## Affected versions
All versions up to and including `1.3.0` are affected. The issue is fixed in `1.2.2`, `1.3.1` and `1.4.0-dev`.
The `parse_options_header()` function in `multipart.py` uses a regular expression with an *ambiguous alternation*, which can cause *exponential backtracking (ReDoS)* when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for **denial of service (DoS)** attacks against web applications using this library to parse request headers or `multipart/form-data` streams.
## Impact
Any WSGI or ASGI application using `multipart.parse_form_data()` directly or indirectly (e.g. while parsing `multipart/form-data` streams) is vulnerable. The slow-down is significant enough to block request handling threads for multiple seconds per request.
## Affected versions
All versions up to and including `1.3.0` are affected. The issue is fixed in `1.2.2`, `1.3.1` and `1.4.0-dev`.
nvd CVSS3.1
7.5
Vulnerability type
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026