The vulnerability CVE-2026-28356 resides in the defnull multipart Python library, specifically in the parse_options_header() function within multipart.py. This function uses a regular expression with ambiguous alternation, which can trigger exponential backtracking when parsing specially crafted HTTP headers or multipart/form-data segments. This behavior results in a Regular Expression Denial of Service (ReDoS) attack, where an attacker can send maliciously crafted requests that cause the parser to consume excessive CPU resources, leading to denial of service. The flaw affects multipart versions prior to 1.2.2, 1.3.1, and 1.4.0-dev. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 score of 7.5 reflects its high severity, with the attack vector being network-based, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts the availability of web applications relying on this library for multipart/form-data parsing. The issue has been addressed by correcting the regular expression to eliminate ambiguous alternation and prevent exponential backtracking in the fixed versions.

This vulnerability can cause denial of service conditions in web applications that use the affected multipart library versions to parse HTTP headers or multipart/form-data streams. Attackers can exploit this flaw remotely without authentication, sending crafted requests that trigger excessive CPU consumption and potentially crash or severely degrade the performance of the application or underlying server. This can lead to service outages, impacting availability and potentially causing business disruption, loss of customer trust, and financial damage. Since multipart/form-data parsing is common in web applications handling file uploads or form submissions, a wide range of applications could be affected. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. Organizations running vulnerable versions in production environments are at risk of targeted DoS attacks.

1. Immediately upgrade the defnull multipart library to version 1.2.2, 1.3.1, or 1.4.0-dev or later, where the vulnerability is fixed. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious multipart/form-data requests exhibiting abnormal header patterns or excessive length that could trigger the ReDoS condition. 3. Monitor application logs and server performance metrics for unusual spikes in CPU usage or request processing times related to multipart/form-data parsing. 4. Employ rate limiting on endpoints that accept multipart/form-data to reduce the impact of potential abuse. 5. Conduct regular dependency audits and vulnerability scans to identify and remediate outdated or vulnerable libraries promptly. 6. If upgrading immediately is not feasible, consider isolating or restricting access to affected services and applying network-level protections to mitigate attack surface exposure.