The 'multipart' python library got an independent security audit and I only know about that because they found something -> CVE-2026-28356
This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can …
My latest FOSS Project: BBBLB is a modern multi-tenant capable load balancer for large BigBlueButton clusters. Not ready for production yet, but on a good path. The aim is to have something fast and easy(er) to maintain that can fully replace scalelite (the reference implementation) and fixes some of …
The python aiohttp library uses yarl for URLs internally, and yarl normalizes URLs by default. It silently decodes some %-encoded characters in the query string that do not strictly need to be encoded.
Sounds harmless, but it isn't. Changing the URL breaks any protocol that signs important aspects of a …
The uv and uvx tools have a very particular way to make virtual environments
relocateable: they replace the shebang in python scripts with some polyglot magic, so that the executable is
both a valid bash script and a python script at the same time. Unfortunately this breaks with a
SyntaxError …
A while ago I found CVE-2024-47874 in starlette (and FastAPI). The same issue is also present in litestar and I repotted that as CVE-2024-52581 (CVSSv4 8.7). The reaction time from the team was very quick this time and a fix was published in less than a week. A new …
Werkzeug is a Web Server Gateway Interface (WSGI)
library used to develop python web applications or frameworks. Applications using
werkzeug.formparser.MultiPartParser to parse multipart/form-data requests (e.g. all
flask and quart applications) were vulnerable to resource exhaustion (denial of
service) attacks. A specifically crafted form submission request could …
I'm finally allowed to speak about this nice little DoS vulnerability I found in starlette (and FastAPI).
The FastAPI devs published an update 3 days before the security release of Starlette that widened …