CVE-2026-53539
Analyzed Analyzed - Analysis Complete

ReDoS in Python-Multipart Form Parser

Vulnerability report for CVE-2026-53539, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the separator and contains no &, every field iteration performed a full failed & scan over the entire remaining buffer before locating the nearby ;. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk. An attacker can submit a small crafted body of the form a;a;a;... and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes. This vulnerability is fixed in 0.0.30.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-26
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fastapiexpert python-multipart to 0.0.30 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53539 is a vulnerability in the python-multipart library versions prior to 0.0.30. It arises from an inefficient parsing method in the QuerystringParser when handling application/x-www-form-urlencoded bodies that use semicolon (;) as field separators.

The parser first scans the entire remaining buffer for ampersand (&) separators before checking for semicolons. If the body contains only semicolon-separated fields and no ampersands, this results in a quadratic time complexity (O(B^2)) in byte comparisons, where B is the chunk size.

An attacker can exploit this by submitting a crafted request body with many semicolon-separated fields (e.g., a;a;a;...), causing the parser to consume excessive CPU resources and significantly slow down processing.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by exhausting CPU resources on the server handling the requests.

An attacker can send specially crafted requests with many semicolon-separated fields, causing the parser to perform excessive CPU work and slow down or crash worker processes.

This can degrade the availability and responsiveness of applications using the affected python-multipart versions, especially those exposing public APIs that parse form data.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage on systems running vulnerable versions of the python-multipart library (prior to 0.0.30) when processing application/x-www-form-urlencoded bodies with semicolon-separated fields.

Specifically, detection involves identifying requests with crafted bodies containing repeated semicolon-separated fields (e.g., a;a;a;...) that cause excessive CPU consumption.

While no explicit commands are provided in the resources, you can use system monitoring tools such as top, htop, or ps on Linux to observe CPU spikes during request processing.

Additionally, network traffic capture tools like tcpdump or Wireshark can be used to inspect HTTP request bodies for suspicious patterns of repeated semicolon-separated fields.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the python-multipart library to version 0.0.30 or later.

Version 0.0.30 fixes the vulnerability by changing the parser to treat only ampersands (&) as field separators, which reduces the parsing time complexity from quadratic to linear.

This upgrade prevents attackers from exploiting the quadratic-time parsing issue and avoids excessive CPU consumption and potential denial of service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart