CVE-2026-28356 Overview
CVE-2026-28356 is a Regular Expression Denial of Service (ReDoS) vulnerability in the multipart library, a fast multipart/form-data parser for Python. Prior to versions 1.2.2, 1.3.1, and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation pattern, which can cause exponential backtracking when parsing maliciously crafted HTTP or multipart segment headers. This vulnerability can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams.
Critical Impact
Remote attackers can cause denial of service by sending specially crafted HTTP headers that trigger catastrophic regex backtracking, potentially rendering web applications unresponsive.
Affected Products
- multipart Python library versions prior to 1.2.2
- multipart Python library versions prior to 1.3.1
- multipart Python library development versions prior to 1.4.0-dev
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-28356 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-28356
Vulnerability Analysis
This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). The flaw exists in the parse_options_header() function within the multipart library, which is commonly used by Python web applications to handle file uploads and form data.
The vulnerable function parses HTTP Content-Type headers and multipart boundary specifications. When processing these headers, the regular expression pattern contains an ambiguous alternation that creates multiple matching paths for certain input strings. An attacker can craft input that forces the regex engine to explore an exponentially growing number of potential matches before determining a final result.
This type of algorithmic complexity attack is particularly dangerous because it requires minimal attacker resources while consuming significant server-side CPU cycles. A single malicious request with a carefully constructed header can tie up a server thread for extended periods, and sustained attacks can effectively deny service to legitimate users.
Root Cause
The root cause is an inefficient regular expression pattern in the parse_options_header() function. The regex contains ambiguous alternation constructs that allow the regex engine to interpret certain character sequences in multiple ways. When an attacker provides input that nearly matches but ultimately fails, the regex engine must backtrack and try alternative paths, leading to exponential time complexity. This is a classic ReDoS pattern where the regex engine's backtracking behavior is exploited.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests with maliciously crafted headers to any web application that uses the vulnerable multipart library to parse incoming requests. The attack specifically targets the header parsing functionality, meaning any endpoint that accepts multipart/form-data or parses Content-Type headers with options could be vulnerable.
The attack involves crafting header values that contain repeating patterns designed to trigger exponential backtracking in the regex engine. The malicious payload would typically be delivered via HTTP headers such as Content-Type or Content-Disposition within multipart form submissions.
Detection Methods for CVE-2026-28356
Indicators of Compromise
- Abnormally high CPU utilization on web application servers without corresponding increase in successful request completion
- HTTP requests with unusually long or complex Content-Type or Content-Disposition header values
- Web server processes or threads becoming unresponsive or timing out during header parsing operations
- Increased request processing latency correlated with multipart form submissions
Detection Strategies
- Monitor web application response times for endpoints that accept multipart/form-data submissions
- Implement application performance monitoring (APM) to detect CPU-bound operations in header parsing functions
- Deploy web application firewall (WAF) rules to detect and block requests with abnormally long or malformed header values
- Analyze server logs for patterns of requests that result in timeouts or extended processing times
Monitoring Recommendations
- Set up alerts for sustained high CPU usage on web servers handling multipart uploads
- Monitor thread pool exhaustion metrics in application servers
- Track request timeout rates for endpoints accepting file uploads or form submissions
- Implement regex execution time limits where supported by the application framework
How to Mitigate CVE-2026-28356
Immediate Actions Required
- Upgrade the multipart library to version 1.2.2, 1.3.1, or 1.4.0-dev or later immediately
- Review all Python applications that depend on the multipart library and update accordingly
- Consider implementing request timeout limits at the web server or reverse proxy level
- Deploy WAF rules to limit header length and complexity as a temporary measure
Patch Information
The vulnerability is fixed in multipart versions 1.2.2, 1.3.1, and 1.4.0-dev. Users should upgrade to the appropriate fixed version based on their current version branch. The fix addresses the ambiguous alternation in the regular expression pattern used by parse_options_header(). For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Implement request header size limits at the reverse proxy or load balancer level to restrict the length of Content-Type and related headers
- Configure web server timeouts to terminate long-running request processing
- If upgrading is not immediately possible, consider implementing input validation to reject headers with suspicious patterns before they reach the vulnerable function
- Use rate limiting to reduce the impact of sustained DoS attacks targeting this vulnerability
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
