fix(deps): Update dependency python-multipart to v0.0.18 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
python-multipart (changelog)	==0.0.7 -> ==0.0.18

GitHub Vulnerability Alerts

CVE-2024-53981

Summary

When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.

An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS).

Impact

Applications that use python-multipart to parse form data (or use frameworks that do so) are affected.

Original Report

This security issue was reported by:

• GitHub security advisory in Starlette on October 30 by @​Startr4ck
• Email to python-multipart maintainer on October 3 by @​mnqazi

---

Release Notes

Kludex/python-multipart (python-multipart)

v0.0.18

Compare Source

• Hard break if found data after last boundary on MultipartParser #​189.

v0.0.17

Compare Source

• Handle PermissionError in fallback code for old import name #​182.

v0.0.16

Compare Source

• Add dunder attributes to multipart package #​177.

v0.0.15

Compare Source

• Replace FutureWarning to PendingDeprecationWarning #​174.
• Add missing files to SDist #​171.

v0.0.14

Compare Source

• Fix import scheme for multipart module (#​168).

v0.0.13

Compare Source

• Rename import to python_multipart #​166.

v0.0.12

Compare Source

• Improve error message when boundary character does not match #​124.
• Add mypy strict typing #​140.
• Enforce 100% coverage #​159.

v0.0.11

Compare Source

• Improve performance, especially in data with many CR-LF #​137.
• Handle invalid CRLF in header name #​141.

v0.0.10

Compare Source

• Support on_header_begin #​103.
• Improve type hints on FormParser #​104.
• Fix OnFileCallback type #​106.
• Improve type hints #​110.
• Improve type hints on File #​111.
• Add type hint to helper functions #​112.
• Minor fix for Field.repr #​114.
• Fix use of chunk_size parameter #​136.
• Allow digits and valid token chars in headers #​134.
• Fix headers being carried between parts #​135.

v0.0.9

Compare Source

• Add support for Python 3.12 #​85.
• Drop support for Python 3.7 #​95.
• Add MultipartState(IntEnum) #​96.
• Add QuerystringState #​97.
• Add TypedDict callbacks #​98.
• Add config TypedDicts #​99.

v0.0.8

Compare Source

• Check if Message.get_params return 3-tuple instead of str on parse_options_header #​79.
• Cleanup unused regex patterns #​82.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.