fix(deps): Update dependency python-multipart to v0.0.26 [SECURITY]

[cloudquery-ci]

This PR contains the following updates:

Package	Change	Age	Confidence
python-multipart (changelog)	==0.0.9 → ==0.0.26

GitHub Vulnerability Alerts

CVE-2024-53981

Summary

When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.

An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).

Impact

Applications that use python-multipart to parse form data (or use frameworks that do so) are affected.

Original Report

This security issue was reported by:

• GitHub security advisory in Starlette on October 30 by @​Startr4ck
• Email to python-multipart maintainer on October 3 by @​mnqazi

CVE-2026-24486

Summary

A Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.

Details

When UPLOAD_DIR is set and UPLOAD_KEEP_FILENAME is True, the library constructs the file path using os.path.join(file_dir, fname). Due to the behavior of os.path.join(), if the filename begins with a /, all preceding path components are discarded:

os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"

This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.

Affected Configuration

Projects are only affected if all of the following are true:

• UPLOAD_DIR is set
• UPLOAD_KEEP_FILENAME is set to True
• The uploaded file exceeds MAX_MEMORY_FILE_SIZE (triggering a flush to disk)

The default configuration is not vulnerable.

Impact

Arbitrary file write to attacker-controlled paths on the filesystem.

Mitigation

Upgrade to version 0.0.22, or avoid using UPLOAD_KEEP_FILENAME=True in project configurations.

CVE-2026-40347

Summary

A denial of service vulnerability exists when parsing crafted multipart/form-data requests with large preamble or epilogue sections.

Details

Two inefficient multipart parsing paths could be abused with attacker-controlled input.

Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.

Impact

An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.

Mitigation

Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

---

Release Notes

Kludex/python-multipart (python-multipart)

v0.0.26

Compare Source

• Skip preamble before the first multipart boundary more efficiently #​262.
• Silently discard epilogue data after the closing multipart boundary #​259.

v0.0.25

Compare Source

• Add MIME content type info to File #​143.
• Handle CTE values case-insensitively #​258.
• Remove custom FormParser classes #​257.
• Add UPLOAD_DELETE_TMP to FormParser config #​254.
• Emit field_end for trailing bare field names on finalize #​230.
• Handle multipart headers case-insensitively #​252.
• Apply Apache-2.0 properly #​247.

v0.0.24

Compare Source

• Validate chunk_size in parse_form() #​244.

v0.0.23

Compare Source

• Remove unused trust_x_headers parameter and X-File-Name fallback #​196.
• Return processed length from QuerystringParser._internal_write #​229.
• Cleanup metadata dunders from __init__.py #​227.

v0.0.22

Compare Source

• Drop directory path from filename in File 9433f4b.

v0.0.21

Compare Source

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #​216.

v0.0.20

Compare Source

• Handle messages containing only end boundary #​142.

v0.0.19

Compare Source

• Don't warn when CRLF is found after last boundary on MultipartParser #​193.

v0.0.18

Compare Source

• Hard break if found data after last boundary on MultipartParser #​189.

v0.0.17

Compare Source

• Handle PermissionError in fallback code for old import name #​182.

v0.0.16

Compare Source

• Add dunder attributes to multipart package #​177.

v0.0.15

Compare Source

• Replace FutureWarning to PendingDeprecationWarning #​174.
• Add missing files to SDist #​171.

v0.0.14

Compare Source

• Fix import scheme for multipart module (#​168).

v0.0.13

Compare Source

• Rename import to python_multipart #​166.

v0.0.12

Compare Source

• Improve error message when boundary character does not match #​124.
• Add mypy strict typing #​140.
• Enforce 100% coverage #​159.

v0.0.11

Compare Source

• Improve performance, especially in data with many CR-LF #​137.
• Handle invalid CRLF in header name #​141.

v0.0.10

Compare Source

• Support on_header_begin #​103.
• Improve type hints on FormParser #​104.
• Fix OnFileCallback type #​106.
• Improve type hints #​110.
• Improve type hints on File #​111.
• Add type hint to helper functions #​112.
• Minor fix for Field.repr #​114.
• Fix use of chunk_size parameter #​136.
• Allow digits and valid token chars in headers #​134.
• Fix headers being carried between parts #​135.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.