chore(deps): update dependency python-multipart to v0.0.27 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
python-multipart (changelog)	0.0.26 → 0.0.27

---

python-multipart has Denial of Service via unbounded multipart part headers

CVE-2026-42561 / GHSA-pp6c-gr5w-3c5g

More information

Details

Summary

python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion.

Impact

Applications that parse attacker-controlled multipart/form-data with affected versions of python-multipart can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke python-multipart may have worker or event-loop delays while processing malicious upload requests.

Details

The affected parser states are HEADER_FIELD_START, HEADER_FIELD, HEADER_VALUE_START, HEADER_VALUE, and HEADER_VALUE_ALMOST_DONE. The issue can be triggered by:

• A multipart part with an oversized individual header value.
• A multipart part with many repeated header lines or an unterminated header block.

Both variants are addressed by enforcing default parser limits for maximum header count and maximum header size.

Mitigation

Upgrade to python-multipart 0.0.27 or later.

If upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of python-multipart still parse multipart part headers without the default header count and header size limits.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g
• https://nvd.nist.gov/vuln/detail/CVE-2026-42561
• https://github.com/advisories/GHSA-pp6c-gr5w-3c5g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Kludex/python-multipart (python-multipart)

v0.0.27

Compare Source

• Add multipart header limits #​267.
• Pass parse offsets via constructors #​268.

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.