## FastAPI/Starlette Dependency Exposed: python-multipart Patches Critical DoS Vulnerability (CVE-2026-40347)
A critical denial-of-service (DoS) vulnerability has been patched in a core dependency used by the popular FastAPI and Starlette Python web frameworks. The flaw, tracked as CVE-2026-40347 (CVSS 5.3), resides in the `python-multipart` library, which handles multipart form data parsing. An attacker can exploit this by sending a multipart request containing an excessively large preamble or epilogue section. This triggers excessive CPU consumption during request parsing, severely degrading server capacity and potentially rendering it unavailable to legitimate users.

The vulnerability was one of eight high and medium-severity alerts identified across Python and npm ecosystems in a recent security scan. While seven were already patched, the `python-multipart` flaw required direct intervention. The fix involved upgrading the dependency in `requirements.txt` from version 0.0.22 to the patched version 0.0.26, which was released by the maintainers on April 10, 2026. Notably, `python-multipart` is not directly imported in source code but is a transitive dependency pulled in by FastAPI and Starlette, making it a hidden risk for many deployments.

This incident underscores the persistent threat posed by the software supply chain, where critical vulnerabilities can lurk in indirect dependencies. The patched version, 0.0.26, is fully backwards compatible, requiring no API changes. However, the fix highlights the operational pressure on development and security teams to continuously monitor and update dependencies, even those not explicitly declared. For teams using FastAPI or Starlette, verifying that their environment uses `python-multipart==0.0.26` or later is now a mandatory security step to mitigate this server-crippling risk.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, python, fastapi, supply-chain
- **Credibility**: unverified
- **Published**: 2026-04-16 01:22:40
- **ID**: 66571
- **URL**: https://whisperx.ai/en/intel/66571