📄 Description (English)
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
🤖 AI Executive Summary
CVE-2026-24486 is a critical path traversal vulnerability in Python-Multipart library affecting file upload functionality. When non-default configurations (UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True) are enabled, attackers can write files to arbitrary filesystem locations, potentially leading to remote code execution or system compromise. An exploit is publicly available, making this an urgent threat requiring immediate patching to version 0.0.22 or configuration remediation.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 00:38
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using Python-Multipart in web applications, particularly: Banking sector (SAMA-regulated institutions) using FastAPI for file processing systems; Government agencies (NCA oversight) handling document management; Healthcare providers (MOH) processing patient records; E-commerce and fintech platforms; Telecommunications companies (STC, Mobily) managing customer data uploads. The ability to write arbitrary files could enable attackers to deploy malware, modify critical system files, or escalate privileges within Saudi critical infrastructure.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Education
Transportation
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems using Python-Multipart library by scanning requirements.txt, setup.py, and dependency manifests
2. Check configuration files for UPLOAD_KEEP_FILENAME=True setting - this is the critical trigger
3. If UPLOAD_KEEP_FILENAME=True is enabled, immediately disable it as temporary mitigation
PATCHING:
1. Upgrade Python-Multipart to version 0.0.22 or later: pip install --upgrade python-multipart>=0.0.22
2. Update all FastAPI and dependent applications using this library
3. Restart affected web services after patching
4. Verify patch installation: python -c "import multipart; print(multipart.__version__)"
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable UPLOAD_KEEP_FILENAME=True in all configurations
2. Implement strict input validation on filenames - reject path traversal characters (../, ..\\ , null bytes)
3. Use allowlist-based filename validation accepting only alphanumeric characters and safe symbols
4. Enforce file uploads to isolated directories with restricted permissions (chmod 755)
5. Implement Web Application Firewall (WAF) rules to detect path traversal patterns in upload requests
DETECTION:
1. Monitor file system for unexpected file creation in system directories (/etc, /var, /usr, /bin, /sbin, Windows: C:\\Windows, C:\\Program Files)
2. Log all file upload requests and validate filename patterns
3. Alert on filenames containing: ../, ..\\ , %2e%2e, encoded traversal sequences
4. Monitor Python process file descriptor activity for writes outside designated upload directories
5. Implement SIEM rules: detect_path_traversal_upload_attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تستخدم مكتبة Python-Multipart من خلال مسح ملفات requirements.txt و setup.py
2. التحقق من ملفات التكوين لإعداد UPLOAD_KEEP_FILENAME=True - هذا هو المحفز الحرج
3. إذا كان UPLOAD_KEEP_FILENAME=True مفعلاً، قم بتعطيله فوراً كتخفيف مؤقت
التصحيح:
1. ترقية Python-Multipart إلى الإصدار 0.0.22 أو أحدث: pip install --upgrade python-multipart>=0.0.22
2. تحديث جميع تطبيقات FastAPI والتطبيقات التابعة التي تستخدم هذه المكتبة
3. إعادة تشغيل الخدمات المتأثرة بعد التصحيح
4. التحقق من تثبيت التصحيح: python -c "import multipart; print(multipart.__version__)"
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل UPLOAD_KEEP_FILENAME=True في جميع التكوينات
2. تطبيق التحقق الصارم من صحة أسماء الملفات - رفض أحرف الاجتياز (../, ..\\، بايتات فارغة)
3. استخدام التحقق من أسماء الملفات القائم على القائمة البيضاء
4. فرض تحميل الملفات إلى دلائل معزولة بأذونات مقيدة
5. تطبيق قواعد جدار حماية تطبيقات الويب للكشف عن أنماط الاجتياز
الكشف:
1. مراقبة نظام الملفات للكشف عن إنشاء ملفات غير متوقعة في دلائل النظام
2. تسجيل جميع طلبات تحميل الملفات والتحقق من أنماط أسماء الملفات
3. التنبيه على أسماء الملفات التي تحتوي على أحرف الاجتياز
4. مراقبة نشاط وصف ملف عملية Python
5. تطبيق قواعد SIEM للكشف عن محاولات الاجتياز
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.3.1 - Change management procedures for software updates
ECC 2024 A.14.2.1 - Secure development and change control
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.RA-1 - Asset management and vulnerability identification
SAMA CSF PR.IP-12 - Software development security practices
SAMA CSF DE.CM-8 - Vulnerability scanning and management
🟡 ISO 27001:2022
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 - Secure development policy
ISO 27001:2022 A.12.3.1 - Change management
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 11.2 - Vulnerability scanning
🔗 References & Sources 3
🔗
https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
security-advisories@github.com
Patch
🔗
https://github.com/Kludex/python-multipart/releases/tag/0.0.22
security-advisories@github.com
Product
Release Notes
🔗
https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
security-advisories@github.com
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
fastapiexpert:python-multipart