The vulnerability CVE-2026-28356 affects the multipart Python library developed by defnull, which is used for parsing multipart/form-data in HTTP requests. The root cause is an inefficient regular expression in the parse_options_header() function within multipart.py. This regex contains an ambiguous alternation pattern that can cause exponential backtracking when processing maliciously crafted multipart headers. Exponential backtracking leads to excessive CPU usage, effectively allowing an attacker to perform a Regular Expression Denial of Service (ReDoS) attack. The vulnerability impacts multipart versions earlier than 1.2.2 and versions from 1.3.0 up to but not including 1.3.1. The attack vector is network-based, requiring no privileges or user interaction, making it straightforward to exploit remotely. The vulnerability does not affect confidentiality or integrity but severely impacts availability by causing application or service slowdown or crash. The issue was publicly disclosed in March 2026 and has been addressed in multipart releases 1.2.2, 1.3.1, and 1.4.0-dev. No public exploit code or active exploitation has been reported to date, but the nature of the vulnerability makes it a significant risk for denial of service in web applications relying on this library for multipart/form-data parsing.

This vulnerability primarily impacts the availability of web applications that use the vulnerable versions of the multipart library for processing HTTP multipart/form-data requests. Attackers can remotely trigger excessive CPU consumption by sending specially crafted multipart headers, leading to denial of service conditions such as application slowdowns, crashes, or unresponsiveness. This can disrupt business operations, degrade user experience, and potentially cause cascading failures in dependent systems. Since the vulnerability requires no authentication or user interaction, it can be exploited by unauthenticated remote attackers, increasing the risk surface. Organizations running Python web applications or APIs that handle file uploads or multipart requests using the affected versions are at risk. The impact is especially critical for high-availability services, cloud-hosted applications, and APIs exposed to the internet. While no confidentiality or integrity loss is involved, the denial of service can be leveraged as part of larger attack campaigns or to distract from other malicious activities.

To mitigate this vulnerability, organizations should immediately upgrade the multipart library to version 1.2.2, 1.3.1, or later, including 1.4.0-dev, where the issue is resolved. If upgrading is not immediately feasible, consider implementing input validation or rate limiting on multipart/form-data requests to reduce the risk of malicious payloads triggering the ReDoS condition. Web application firewalls (WAFs) can be configured to detect and block suspicious multipart header patterns or unusually large multipart requests. Monitoring CPU usage and application performance metrics can help detect potential exploitation attempts. Developers should review and test multipart parsing logic to ensure it does not rely on vulnerable regex patterns. Additionally, adopting fuzz testing and regular expression complexity analysis tools during development can prevent similar issues. Finally, maintain an inventory of all Python dependencies and apply security patches promptly to reduce exposure to known vulnerabilities.