apunkt/dograh
1
0
Fork 0
mirror of https://github.com/dograh-hq/dograh.git synced 2026-06-07 07:55:16 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix(security): bump python-multipart 0.0.20 -> 0.0.27 (#332)

Browse source 
Closes three known advisories in python-multipart, all reachable
from the FastAPI multipart form-parser used across the API
(transcribe_audio, knowledge_base uploads, presigned upload flows):

- GHSA-wp53-j4wj-2cfg (HIGH, CWE-22) — arbitrary file write via
  non-default configuration. Fixed in 0.0.22.
- GHSA-pp6c-gr5w-3c5g (HIGH, CWE-400) — DoS via unbounded multipart
  part headers. Fixed in 0.0.27.
- GHSA-mj87-hwqh-73pj (MOD, CWE-400) — DoS via large multipart
  preamble or epilogue. Fixed in 0.0.26.

0.0.27 is a patch-level bump within the same 0.0.x line, no API
changes; fastapi==0.135.3 only requires python-multipart>=0.0.7 so
the upper bound is unaffected.

Detected by Aeon + osv-scanner.

Co-authored-by: aeonframework <aeon@aaronjmars.com>
This commit is contained in:
@aaronjmars 2026-05-21 05:59:27 -04:00 committed by GitHub
parent d97d1d72cd
commit 332754a809
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
api/requirements.txt
View file

@ -9,7 +9,7 @@ arq==0.26.3
twilio==9.8.0
minio==7.2.16
alembic-postgresql-enum==1.8.0
python-multipart==0.0.20
python-multipart==0.0.27
sentry-sdk[fastapi]==2.38.0
sqlalchemy[asyncio]==2.0.43
msgpack==1.1.2