Update dependency python-multipart to v0.0.22 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
python-multipart (changelog)	==0.0.9 → ==0.0.22

---

Denial of service (DoS) via deformation multipart/form-data boundary

CVE-2024-53981 / GHSA-59g5-xgcq-4qw3

More information

Details

Summary

When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.

An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).

Impact

Applications that use python-multipart to parse form data (or use frameworks that do so) are affected.

Original Report

This security issue was reported by:

• GitHub security advisory in Starlette on October 30 by @​Startr4ck
• Email to python-multipart maintainer on October 3 by @​mnqazi

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/Kludex/python-multipart/security/advisories/GHSA-59g5-xgcq-4qw3
• https://nvd.nist.gov/vuln/detail/CVE-2024-53981
• https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177
• https://github.com/Kludex/python-multipart

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Python-Multipart has Arbitrary File Write via Non-Default Configuration

CVE-2026-24486 / GHSA-wp53-j4wj-2cfg

More information

Details

Summary

A Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.

Details

When UPLOAD_DIR is set and UPLOAD_KEEP_FILENAME is True, the library constructs the file path using os.path.join(file_dir, fname). Due to the behavior of os.path.join(), if the filename begins with a /, all preceding path components are discarded:

os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"

This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.

Affected Configuration

Projects are only affected if all of the following are true:

• UPLOAD_DIR is set
• UPLOAD_KEEP_FILENAME is set to True
• The uploaded file exceeds MAX_MEMORY_FILE_SIZE (triggering a flush to disk)

The default configuration is not vulnerable.

Impact

Arbitrary file write to attacker-controlled paths on the filesystem.

Mitigation

Upgrade to version 0.0.22, or avoid using UPLOAD_KEEP_FILENAME=True in project configurations.

Severity

• CVSS Score: 8.6 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

References

• https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
• https://nvd.nist.gov/vuln/detail/CVE-2026-24486
• https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
• https://github.com/Kludex/python-multipart
• https://github.com/Kludex/python-multipart/releases/tag/0.0.22

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Kludex/python-multipart (python-multipart)

v0.0.22

Compare Source

• Drop directory path from filename in File 9433f4b.

v0.0.21

Compare Source

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #​216.

v0.0.20

Compare Source

• Handle messages containing only end boundary #​142.

v0.0.19

Compare Source

• Don't warn when CRLF is found after last boundary on MultipartParser #​193.

v0.0.18

Compare Source

• Hard break if found data after last boundary on MultipartParser #​189.

v0.0.17

Compare Source

• Handle PermissionError in fallback code for old import name #​182.

v0.0.16

Compare Source

• Add dunder attributes to multipart package #​177.

v0.0.15

Compare Source

• Replace FutureWarning to PendingDeprecationWarning #​174.
• Add missing files to SDist #​171.

v0.0.14

Compare Source

• Fix import scheme for multipart module (#​168).

v0.0.13

Compare Source

• Rename import to python_multipart #​166.

v0.0.12

Compare Source

• Improve error message when boundary character does not match #​124.
• Add mypy strict typing #​140.
• Enforce 100% coverage #​159.

v0.0.11

Compare Source

• Improve performance, especially in data with many CR-LF #​137.
• Handle invalid CRLF in header name #​141.

v0.0.10

Compare Source

• Support on_header_begin #​103.
• Improve type hints on FormParser #​104.
• Fix OnFileCallback type #​106.
• Improve type hints #​110.
• Improve type hints on File #​111.
• Add type hint to helper functions #​112.
• Minor fix for Field.repr #​114.
• Fix use of chunk_size parameter #​136.
• Allow digits and valid token chars in headers #​134.
• Fix headers being carried between parts #​135.

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Toronto, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.