Python‑Multipart 0.0.22 Path‑Traversal Enables Arbitrary File Write in Web Applications
What Happened — A newly disclosed CVE‑2026‑24486 reveals a path‑traversal flaw in the python‑multipart library (versions < 0.0.22). When the library is configured with UPLOAD_KEEP_FILENAME=True and a custom UPLOAD_DIR, an attacker can supply a crafted filename (e.g., ../../etc/passwd%00.txt) that causes the server to write the uploaded file to any location on the filesystem, including privileged paths. A public PoC demonstrates writing to /etc/hosts, the web root, and even creating a PHP web‑shell.
Why It Matters for TPRM —
- The library is widely used in Python‑based SaaS, API gateways, and internal web portals; a vulnerable third‑party component can expose your data or compromise your environment.
- Arbitrary file write can lead to credential theft, ransomware staging, or full server takeover, amplifying supply‑chain risk.
- The vulnerability is exploitable without authentication, making it a high‑impact vector for external attackers.
Who Is Affected — Technology & SaaS providers, cloud‑hosted web applications, API services, and any organization that ships Python‑based web services using python‑multipart < 0.0.22.
Recommended Actions —
- Immediately upgrade to
python‑multipart>=0.0.22(or later). - Disable
UPLOAD_KEEP_FILENAMEor enforce strict filename sanitisation (os.path.basename). - Review all third‑party dependency inventories for the vulnerable version and apply patches across development, staging, and production environments.
Technical Notes — Attack vector: crafted multipart request with malicious filename; CVE‑2026‑24486; affects Python 3.13+ environments; enables arbitrary file write, leading to potential remote code execution. Source: https://www.exploit-db.com/exploits/52543