python-multipart - Debian Package Tracker

general

source: python-multipart (main)
version: 0.0.26-1
maintainer: Sandro Tosi (DMD)
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.0.5-2
oldstable: 0.0.5-3
stable: 0.0.20-1.1~deb13u1
testing: 0.0.22-1
unstable: 0.0.26-1

versioned links

0.0.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.5-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.20-1.1~deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.22-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.26-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-python-multipart

action needed

A new upstream version is available: 0.0.29 high

A new upstream version 0.0.29 is available, you should consider packaging it.

Created: 2026-04-27 Last update: 2026-05-25 18:30

2 security issues in trixie high

There are 2 open security issues in trixie.

1 important issue:

CVE-2026-42561: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

1 issue left for the package maintainer to handle:

CVE-2026-40347: (needs triaging) Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-18 Last update: 2026-05-14 23:00

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-40347: Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
CVE-2026-42561: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

Created: 2026-04-18 Last update: 2026-05-14 23:00

5 security issues in bookworm high

There are 5 open security issues in bookworm.

1 important issue:

CVE-2026-42561: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

4 issues left for the package maintainer to handle:

CVE-2024-24762: (needs triaging) `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
CVE-2024-53981: (needs triaging) python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
CVE-2026-24486: (needs triaging) Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
CVE-2026-40347: (needs triaging) Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-09 Last update: 2026-05-14 23:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-42561: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

Created: 2026-05-14 Last update: 2026-05-14 23:00

5 security issues in bullseye high

There are 5 open security issues in bullseye.

1 important issue:

CVE-2026-42561: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

4 issues postponed or untriaged:

CVE-2024-24762: (needs triaging) `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
CVE-2024-53981: (postponed; to be fixed through a stable update) python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
CVE-2026-24486: (postponed; to be fixed through a stable update) Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
CVE-2026-40347: (postponed; to be fixed through a stable update) Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Created: 2026-05-14 Last update: 2026-05-14 23:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-04-20 Last update: 2026-05-25 19:33

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-15 Last update: 2026-04-15 15:00

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 0.0.26-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-12-19 Last update: 2026-04-15 16:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.0).

Created: 2025-02-21 Last update: 2026-04-15 09:00

testing migrations

excuses:
- Migration status for python-multipart (0.0.22-1 to 0.0.26-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for asgi-csrf/0.11-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for python-multipart/0.0.26-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-multipart.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 41 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-04-15] Accepted python-multipart 0.0.26-1 (source) into unstable (Sandro Tosi)
[2026-03-11] python-multipart 0.0.22-1 MIGRATED to testing (Debian testing watch)
[2026-03-08] Accepted python-multipart 0.0.20-1.1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2026-03-08] Accepted python-multipart 0.0.22-1 (source) into unstable (Sandro Tosi)
[2026-02-10] python-multipart 0.0.20-1.1 MIGRATED to testing (Debian testing watch)
[2026-02-06] Accepted python-multipart 0.0.20-1.1 (source) into unstable (Salvatore Bonaccorso)
[2025-03-16] python-multipart 0.0.20-1 MIGRATED to testing (Debian testing watch)
[2025-03-14] Accepted python-multipart 0.0.20-1 (source) into unstable (Sandro Tosi)
[2024-12-21] python-multipart 0.0.17-5 MIGRATED to testing (Debian testing watch)
[2024-12-19] Accepted python-multipart 0.0.17-5 (source) into unstable (Sandro Tosi)
[2024-11-29] python-multipart 0.0.17-1 MIGRATED to testing (Debian testing watch)
[2024-11-27] Accepted python-multipart 0.0.17-4 (source) into experimental (Sandro Tosi)
[2024-11-27] Accepted python-multipart 0.0.17-3 (source) into experimental (Sandro Tosi)
[2024-11-26] Accepted python-multipart 0.0.17-2 (source all) into experimental (Debian FTP Masters) (signed by: Sandro Tosi)
[2024-11-24] Accepted python-multipart 0.0.17-1 (source) into unstable (Sandro Tosi)
[2024-03-06] python-multipart 0.0.9-1 MIGRATED to testing (Debian testing watch)
[2024-03-02] Accepted python-multipart 0.0.9-1 (source) into unstable (Sandro Tosi)
[2024-01-19] python-multipart 0.0.6-1 MIGRATED to testing (Debian testing watch)
[2024-01-13] Accepted python-multipart 0.0.6-1 (source) into unstable (Sandro Tosi)
[2022-10-28] python-multipart 0.0.5-3 MIGRATED to testing (Debian testing watch)
[2022-10-23] Accepted python-multipart 0.0.5-3 (source) into unstable (Sandro Tosi)
[2021-01-16] python-multipart 0.0.5-2 MIGRATED to testing (Debian testing watch)
[2021-01-11] Accepted python-multipart 0.0.5-2 (source) into unstable (Sandro Tosi)
[2021-01-10] Accepted python-multipart 0.0.5-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Sandro Tosi)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.0.20-1.1