## Python-Multipart Library Exposes DoS Vulnerability in Form Data Parsing (CVE-2026-40347) A critical denial-of-service (DoS) vulnerability has been disclosed in the widely used `python-multipart` library, a core component for handling file uploads and form data in Python web frameworks like FastAPI and Starlette. The flaw, tracked as CVE-2026-40347, allows an attacker to crash or severely degrade server performance by sending specially crafted `multipart/form-data` requests. The vulnerability stems from inefficient parsing logic that can be exploited with attacker-controlled input, specifically through large preamble or epilogue sections in the request body. The security advisory, published by the library's maintainer, details that the vulnerability affects versions prior to 0.0.26. The issue is present in two distinct parsing paths within the library's codebase. When a malicious request containing an excessively large preamble or epilogue is processed, it triggers resource-intensive operations, leading to high CPU consumption and potentially rendering the application unresponsive. This creates a direct vector for service disruption against any web application relying on this library for parsing HTTP multipart data. The disclosure has triggered immediate action in the open-source ecosystem. Automated dependency update tools like RenovateBot are already generating pull requests to bump the library from vulnerable versions (e.g., 0.0.22) to the patched version 0.0.26. The impact is significant due to the library's integration into popular, high-performance frameworks. Developers and security teams are now under pressure to audit their dependency trees and apply the update promptly to mitigate the risk of exploitation, which requires no authentication and could be launched remotely against exposed endpoints. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2026-40347, Denial of Service, Python Security, Supply Chain, Web Framework - **Credibility**: unverified - **Published**: 2026-04-15 21:22:51 - **ID**: 66254 - **URL**: https://whisperx.ai/en/intel/66254