CVE-2024-53981
published 2024-12-02CVE-2024-53981: python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.64%
46.2th percentile
python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-multipart | < python-multipart 0.0.20-1 (forky) | python-multipart 0.0.20-1 (forky) |
| kludex | python-multipart | < 0.0.18 | 0.0.18 |
| kludex | python-multipart | >= 0 < 0.0.20-1 | 0.0.20-1 |
| kludex | python-multipart | >= 0 < 0.0.20-1 | 0.0.20-1 |
| kludex | python-multipart | >= 0 < 0.0.18 | 0.0.18 |
| kludex | python-multipart | >= 0 < 0.0.5-2ubuntu0.1~esm1 | 0.0.5-2ubuntu0.1~esm1 |
| kludex | python-multipart | >= 0 < 0.0.9-1ubuntu0.1~esm1 | 0.0.9-1ubuntu0.1~esm1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
python-multipart vulnerabilities
osv·2026-02-11·CVSS 7.5
CVE-2024-24762 [HIGH] python-multipart vulnerabilities
python-multipart vulnerabilities
It was discovered that Python-Multipart incorrectly handled certain
regular expressions. An attacker could possibly use this issue to cause
Python-Multipart to consume excessive resources, leading to a regular
expression denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-24762)
It was discovered that Python-Multipart did not properly sanitize line
breaks during user input. An attacker could use this issue to send
arbitrary input, thus preventing other requests from being processed,
resulting in a denial of service. This issue was only fixed in
Ubuntu 24.04 LTS. (CVE-2024-53981)
It was discovered that Python-Multipart was vulnerable to path traversal
attacks. An attacker could possibly craft and upload files outside the
target directo
OSV
Denial of service (DoS) via deformation `multipart/form-data` boundary
osv·2024-12-02
CVE-2024-53981 [HIGH] Denial of service (DoS) via deformation `multipart/form-data` boundary
Denial of service (DoS) via deformation `multipart/form-data` boundary
### Summary
When parsing form data, `python-multipart` skips line breaks (CR `\r` or LF `\n`) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.
An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).
### Impact
Applications that use `python-multipart` to parse form dat
GHSA
Denial of service (DoS) via deformation `multipart/form-data` boundary
ghsa·2024-12-02
CVE-2024-53981 [HIGH] CWE-770 Denial of service (DoS) via deformation `multipart/form-data` boundary
Denial of service (DoS) via deformation `multipart/form-data` boundary
### Summary
When parsing form data, `python-multipart` skips line breaks (CR `\r` or LF `\n`) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.
An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).
### Impact
Applications that use `python-multipart` to parse form dat
OSV
CVE-2024-53981: python-multipart is a streaming multipart parser for Python
osv·2024-12-02·CVSS 7.5
CVE-2024-53981 [HIGH] CVE-2024-53981: python-multipart is a streaming multipart parser for Python
python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
Ubuntu
Python-Multipart vulnerabilities
vendor_ubuntu·2026-02-11·CVSS 7.5
CVE-2024-53981 [HIGH] Python-Multipart vulnerabilities
Title: Python-Multipart vulnerabilities
Summary: Several security issues were fixed in Python-Multipart.
It was discovered that Python-Multipart incorrectly handled certain
regular expressions. An attacker could possibly use this issue to cause
Python-Multipart to consume excessive resources, leading to a regular
expression denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-24762)
It was discovered that Python-Multipart did not properly sanitize line
breaks during user input. An attacker could use this issue to send
arbitrary input, thus preventing other requests from being processed,
resulting in a denial of service. This issue was only fixed in
Ubuntu 24.04 LTS. (CVE-2024-53981)
It was discovered that Python-Multipart was vulnerable to path traversal
attacks. An
Red Hat
python-multipart: python-multipart has a DoS via deformation `multipart/form-data` boundary
vendor_redhat·2024-12-02·CVSS 7.5
CVE-2024-53981 [HIGH] CWE-770 python-multipart: python-multipart has a DoS via deformation `multipart/form-data` boundary
python-multipart: python-multipart has a DoS via deformation `multipart/form-data` boundary
python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vuln
Debian
CVE-2024-53981: python-multipart - python-multipart is a streaming multipart parser for Python. When parsing form d...
vendor_debian·2024·CVSS 7.5
CVE-2024-53981 [HIGH] CVE-2024-53981: python-multipart - python-multipart is a streaming multipart parser for Python. When parsing form d...
python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fix
No detection rules found.
No public exploits indexed.
2024-12-02
Published