DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24486: Absolute Chaos: The Path Traversal Vulnerability in Python-Multipart (CVE-2026-24486)

#security #cve #cybersecurity

Absolute Chaos: The Path Traversal Vulnerability in Python-Multipart (CVE-2026-24486)

Vulnerability ID: CVE-2026-24486
CVSS Score: 8.6
Published: 2026-01-26

A high-severity path traversal vulnerability in the widely used python-multipart library allows attackers to overwrite arbitrary files on the host system. This flaw exploits a specific behavior in Python's os.path.join function when handling absolute paths in multipart file uploads.

TL;DR

If you are using python-multipart (common in FastAPI/Starlette) with custom upload configurations (UPLOAD_KEEP_FILENAME=True), an attacker can overwrite any file on your server by simply sending a malicious filename (e.g., /etc/passwd). The fix is to upgrade to version 0.0.22, which sanitizes filenames using os.path.basename.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v3.1: 8.6 (High)
  • Attack Vector: Network (AV:N)
  • Impact: Arbitrary File Write / RCE
  • Affected Component: MultipartParser
  • Patch Commit: 9433f4bbc9652bdde82bbe380984e32f8cfc89c4

Affected Systems

  • python-multipart < 0.0.22
  • FastAPI applications using python-multipart with custom upload config
  • Starlette applications using python-multipart with custom upload config
  • python-multipart: < 0.0.22 (Fixed in: 0.0.22)

Code Analysis

Commit: 9433f4b

Fix potential path traversal by using os.path.basename

@@ -375,7 +375,9 @@ def __init__(self, file_name: bytes | None, field_name: bytes | None = None, con

         # Split the extension from the filename.
         if file_name is not None:
-            base, ext = os.path.splitext(file_name)
+            # Extract just the basename to avoid directory traversal
+            basename = os.path.basename(file_name)
+            base, ext = os.path.splitext(basename)
             self._file_base = base
             self._ext = ext
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theory: Exploitation requires UPLOAD_KEEP_FILENAME=True and large file size to force disk write.

Mitigation Strategies

  • Input Sanitization: Always strip directory components from filenames using os.path.basename.
  • Least Privilege: Run web applications as a non-root user to limit write access.
  • Configuration Hardening: Disable UPLOAD_KEEP_FILENAME unless strictly necessary.

Remediation Steps:

  1. Identify all projects using python-multipart (check pip freeze or poetry.lock).
  2. Upgrade python-multipart to version 0.0.22 or higher.
  3. Restart the application services to load the new library version.

References

Read the full report for CVE-2026-24486 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)