DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28356: CVE-2026-28356: Regular Expression Denial of Service in defnull/multipart

#security #cve #cybersecurity

CVE-2026-28356: Regular Expression Denial of Service in defnull/multipart

Vulnerability ID: CVE-2026-28356
CVSS Score: 7.5
Published: 2026-03-12

CVE-2026-28356 is a High-severity Regular Expression Denial of Service (ReDoS) vulnerability affecting the Python defnull/multipart library. By supplying a maliciously crafted HTTP or multipart segment header containing ambiguous escape sequences, an unauthenticated remote attacker can force the regex engine into exponential backtracking. This exhausts CPU resources and results in a complete denial of service for the affected application thread.

TL;DR

A ReDoS vulnerability in the defnull/multipart Python library allows remote attackers to cause CPU exhaustion and Denial of Service (DoS) via crafted HTTP headers.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1333
  • Attack Vector: Network
  • CVSS Score: 7.5
  • Exploit Status: Proof of Concept available
  • Vulnerability Type: Regular Expression Denial of Service (ReDoS)
  • Authentication Required: None

Affected Systems

  • defnull/multipart Python library
  • multipart: < 1.2.2 (Fixed in: 1.2.2)
  • multipart: >= 1.3.0, < 1.3.1 (Fixed in: 1.3.1)

Code Analysis

Commit: d6f79b3

Fix ambiguous alternation in _value regex to resolve ReDoS (Backported to 1.2.2)

- _value = r'"[^\\"]*"|%s|"(?:\\.|[^"])*"' % _token
+ _value = r'"[^\\"]*"|%s|"(?:\\.|[^\\"])*"' % _token
Enter fullscreen mode Exit fullscreen mode

Commit: 7e4fe6f

Performance backports for 1.3.1 including ReDoS fix

Code modifications identical to d6f79b30ee21904ab552950acfe4aae79fa55d3d applied to 1.3.x branch.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update defnull/multipart to version 1.2.2 or 1.3.1
  • Implement WAF rules limiting HTTP header length
  • Filter requests containing excessive backslashes in Content-Disposition or Content-Type headers

Remediation Steps:

  1. Identify all applications utilizing the defnull/multipart library.
  2. Update the package via pip or dependency managers to version 1.3.1 or 1.2.2.
  3. Restart the application services to load the patched library.
  4. Monitor CPU usage metrics for residual ReDoS attempts.

References

Read the full report for CVE-2026-28356 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)