Low3.7Red Hat Linux Updated
Negative Content-Length in parse_form buffers the entire body in memory
CVE-2026-53540 Published Jun 22, 2026Updated by vendor Jun 22, 2026
Affected products & platforms
Red Hat LinuxUnclassified
Summary
Negative Content-Length in parse_form buffers the entire body in memory. Red Hat rates this low (CVSS 3.7). Weakness: CWE-400.
Affected versions
- < 0.0.31
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- Upgrade python-multipart to version 0.0.31 or later, which rejects a negative Content-Length with a ValueError before reading the stream. As a workaround, configure the HTTP stack or reverse proxy to reject or normalize negative Content-Length headers before they reach the application layer.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.