[PR #25559] chore(deps): update dependency python-multipart to v0.0.22 [security] #18279

Open
opened 2026-02-05 16:35:44 +03:00 by OVERLORD · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/immich-app/immich/pull/25559
Author: @renovate[bot]
Created: 1/27/2026
Status: 🔄 Open

Base: mainHead: renovate/pypi-python-multipart-vulnerability


📝 Commits (1)

  • fb62760 chore(deps): update dependency python-multipart to v0.0.22 [security]

📊 Changes

1 file changed (+3 additions, -3 deletions)

View changed files

📝 machine-learning/uv.lock (+3 -3)

📄 Description

This PR contains the following updates:

Package Change Age Confidence
python-multipart (changelog) 0.0.210.0.22 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-24486

Summary

A Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.

Details

When UPLOAD_DIR is set and UPLOAD_KEEP_FILENAME is True, the library constructs the file path using os.path.join(file_dir, fname). Due to the behavior of os.path.join(), if the filename begins with a /, all preceding path components are discarded:

os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"

This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.

Affected Configuration

Projects are only affected if all of the following are true:

  • UPLOAD_DIR is set
  • UPLOAD_KEEP_FILENAME is set to True
  • The uploaded file exceeds MAX_MEMORY_FILE_SIZE (triggering a flush to disk)

The default configuration is not vulnerable.

Impact

Arbitrary file write to attacker-controlled paths on the filesystem.

Mitigation

Upgrade to version 0.0.22, or avoid using UPLOAD_KEEP_FILENAME=True in project configurations.


Release Notes

Kludex/python-multipart (python-multipart)

v0.0.22

Compare Source

  • Drop directory path from filename in File 9433f4b.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/immich-app/immich/pull/25559 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 1/27/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `renovate/pypi-python-multipart-vulnerability` --- ### 📝 Commits (1) - [`fb62760`](https://github.com/immich-app/immich/commit/fb62760a5ec15224da773d93bc1fa223e715465e) chore(deps): update dependency python-multipart to v0.0.22 [security] ### 📊 Changes **1 file changed** (+3 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `machine-learning/uv.lock` (+3 -3) </details> ### 📄 Description This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [python-multipart](https://redirect.github.com/Kludex/python-multipart) ([changelog](https://redirect.github.com/Kludex/python-multipart/blob/master/CHANGELOG.md)) | `0.0.21` → `0.0.22` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/python-multipart/0.0.22?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/python-multipart/0.0.21/0.0.22?slim=true) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-24486](https://redirect.github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg) ### Summary A Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. ### Details When `UPLOAD_DIR` is set and `UPLOAD_KEEP_FILENAME` is `True`, the library constructs the file path using `os.path.join(file_dir, fname)`. Due to the behavior of `os.path.join()`, if the filename begins with a `/`, all preceding path components are discarded: ```py os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious" ``` This allows an attacker to bypass the intended upload directory and write files to arbitrary paths. #### Affected Configuration Projects are only affected if all of the following are true: - `UPLOAD_DIR` is set - `UPLOAD_KEEP_FILENAME` is set to True - The uploaded file exceeds `MAX_MEMORY_FILE_SIZE` (triggering a flush to disk) The default configuration is not vulnerable. #### Impact Arbitrary file write to attacker-controlled paths on the filesystem. #### Mitigation Upgrade to version 0.0.22, or avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations. --- ### Release Notes <details> <summary>Kludex/python-multipart (python-multipart)</summary> ### [`v0.0.22`](https://redirect.github.com/Kludex/python-multipart/blob/HEAD/CHANGELOG.md#0022-2026-01-25) [Compare Source](https://redirect.github.com/Kludex/python-multipart/compare/0.0.21...0.0.22) - Drop directory path from filename in `File` [9433f4b](https://redirect.github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/immich-app/immich). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhbmdlbG9nOnNraXAiLCJkZXBlbmRlbmNpZXMiLCJyZW5vdmF0ZSJdfQ==--> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-05 16:35:44 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#18279