CVE-2026-28356: Regular Expression Denial of Service in defnull/multipart

The defnull/multipart Python library provides parsers for multipart/form-data and standard HTTP headers. Applications commonly use this library within web frameworks to process incoming file uploads and form submissions. The library implements a function named parse_options_header() to extract key-value pairs from complex headers such as Content-Disposition and Content-Type.

A Regular Expression Denial of Service (ReDoS) vulnerability exists within the parsing logic of this function. The vulnerability is tracked as CVE-2026-28356 and classified under CWE-1333 (Inefficient Regular Expression Complexity). The flaw occurs because the library uses an inefficient regular expression to validate and extract quoted string values from the header parameters.

An unauthenticated remote attacker can exploit this vulnerability by submitting an HTTP request with a specifically crafted header. The regex engine evaluating this header will enter a state of catastrophic backtracking. This consumes all available CPU cycles on the processing thread and results in a denial of service condition for the application.

The vulnerability originates in the _value regular expression defined within multipart.py. This expression extracts the value component of header parameters, such as the filename string in a Content-Disposition header. The regex attempts to match three different token types: a simple quoted string, a raw token, or a complex quoted string containing escaped characters.

The third branch of the _value regex relies on the pattern "(?:\\.|[^"])*". This sub-expression contains an ambiguous alternation that is responsible for the exponential backtracking. The pattern attempts to match zero or more occurrences of either an escaped character \\. or any character that is not a double quote [^"].

The ambiguity arises when the parser encounters a backslash character. The backslash successfully matches the first part of the escape sequence \\.. However, because a backslash is not a double quote, it also successfully matches the second branch [^"].

When a long string of backslashes is supplied without a terminating double quote, the Python NFA-based re engine fails to find a valid match. Before returning a failure, the engine evaluates every possible permutation of assigning each backslash to either the first or second branch of the alternation. This yields an execution time complexity of O(2^n), where n is the number of backslashes.

The vulnerable implementation defines the _value regular expression using string formatting to include the previously defined _token pattern. The code uses the raw string r'"[^\\"]*"|%s|"(?:\\.|[^"])*"' % _token. The critical flaw resides in the third alternative of this regex string.

The maintainers patched the vulnerability by modifying the character class in the third alternative. The patch explicitly excludes the backslash character from the second branch of the alternation. The updated raw string is r'"[^\\"]*"|%s|"(?:\\.|[^\\"])*"' % _token.

By changing [^"] to [^\\"], the regex ensures that a backslash can only be consumed by the explicit escape sequence branch \\.. This modification eliminates the overlapping match conditions.

When the patched regex processes a string of unclosed backslashes, the engine follows a single deterministic path. The evaluation fails linearly without exploring overlapping sub-trees. This restores the evaluation time complexity to O(n) and neutralizes the ReDoS vector.

Exploitation requires the attacker to send an HTTP request to an application endpoint that uses the defnull/multipart library to parse headers. The attacker does not need authentication or specific application state prerequisites. The target must simply process the request headers using the vulnerable parse_options_header() function.

The attacker constructs a payload containing a large number of backslash characters within a multipart header parameter. A standard payload targets the Content-Disposition header. The payload omits the terminating double quote to force the regex engine into the backtracking failure state.

A functional proof-of-concept payload takes the form: Content-Disposition: form-data; name="\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. When the application receives this header, the regex engine begins evaluating the string.

The engine consumes the opening quote and proceeds to evaluate the backslashes. Because the terminating quote is absent, the match ultimately fails. The engine backtracks through the possible path combinations, locking the execution thread indefinitely.

The successful exploitation of CVE-2026-28356 results in a complete denial of service for the affected application thread. The Python process hosting the application will exhibit 100% CPU utilization on a single core. The thread evaluating the regular expression will block indefinitely while attempting to complete the backtracking sequence.

In a standard synchronous web server deployment, an attacker can send concurrent malicious requests to exhaust the worker thread pool. Once all worker threads are locked in the regex evaluation state, the server cannot process legitimate traffic. This causes subsequent requests from legitimate users to timeout or drop.

Asynchronous Python environments also suffer severe degradation. The re module executes synchronous C code that does not yield control back to the asynchronous event loop. A single malicious request will block the entire event loop, preventing all other asynchronous tasks from executing until the regex engine completes or the process is externally terminated.

Organizations must update the defnull/multipart dependency to a patched version. The maintainers resolved the vulnerability in versions 1.2.2 and 1.3.1. Development branches tracking 1.4.0-dev also contain the necessary fixes.

Administrators should verify their dependency trees to ensure the correct package is targeted. The Python ecosystem contains several libraries with "multipart" in their name. The specific vulnerable package is multipart authored by defnull, which is frequently installed as a transitive dependency via micro-frameworks such as Bottle.

If immediate patching is not technically feasible, security teams can deploy Web Application Firewall (WAF) rules to mitigate the attack. WAF rules should inspect the Content-Disposition and Content-Type headers for abnormally long sequences of backslash characters.

Additionally, WAF rules can enforce maximum length constraints on individual HTTP headers. Rejecting requests with unusually large header values prevents the delivery of the required payload length necessary to induce meaningful CPU exhaustion.