CVE-2024-53981Allocation of Resources Without Limits or Throttling in Python-multipart

CWE-770Allocation of Resources Without Limits or Throttling8 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 69.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Kludex Python-multipartDebian Python-multipart
Timeline
PublishedDec 2
Latest updateFeb 11

Description

python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the proc

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

CVEListV5kludex/python-multipart< 0.0.18
debiandebian/python-multipart< python-multipart 0.0.20-1 (forky)
Debiankludex/python-multipart< 0.0.20-1+1
Ubuntukludex/python-multipart< 0.0.5-2ubuntu0.1~esm1+1

🔴Vulnerability Details

4
OSV
python-multipart vulnerabilities2026-02-11
OSV
Denial of service (DoS) via deformation `multipart/form-data` boundary2024-12-02
GHSA
Denial of service (DoS) via deformation `multipart/form-data` boundary2024-12-02
OSV
CVE-2024-53981: python-multipart is a streaming multipart parser for Python2024-12-02

📋Vendor Advisories

3
Ubuntu
Python-Multipart vulnerabilities2026-02-11
Red Hat
python-multipart: python-multipart has a DoS via deformation `multipart/form-data` boundary2024-12-02
Debian
CVE-2024-53981: python-multipart - python-multipart is a streaming multipart parser for Python. When parsing form d...2024