CVE-2026-53539
Received Received - Intake
ReDoS in Python-Multipart Form Parser

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the separator and contains no &, every field iteration performed a full failed & scan over the entire remaining buffer before locating the nearby ;. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk. An attacker can submit a small crafted body of the form a;a;a;... and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes. This vulnerability is fixed in 0.0.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-53539
EUVD
EUVD-2026-38322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kludex python-multipart to 0.0.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53539 is a vulnerability in the python-multipart library versions prior to 0.0.30. It arises from an inefficient parsing method in the QuerystringParser when handling application/x-www-form-urlencoded bodies that use semicolon (;) as field separators.

The parser first scans the entire remaining buffer for ampersand (&) separators before checking for semicolons. If the body contains only semicolon-separated fields and no ampersands, this results in a quadratic time complexity (O(B^2)) in byte comparisons, where B is the chunk size.

An attacker can exploit this by submitting a crafted request body with many semicolon-separated fields (e.g., a;a;a;...), causing the parser to consume excessive CPU resources and significantly slow down processing.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by exhausting CPU resources on the server handling the requests.

An attacker can send specially crafted requests with many semicolon-separated fields, causing the parser to perform excessive CPU work and slow down or crash worker processes.

This can degrade the availability and responsiveness of applications using the affected python-multipart versions, especially those exposing public APIs that parse form data.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage on systems running vulnerable versions of the python-multipart library (prior to 0.0.30) when processing application/x-www-form-urlencoded bodies with semicolon-separated fields.

Specifically, detection involves identifying requests with crafted bodies containing repeated semicolon-separated fields (e.g., a;a;a;...) that cause excessive CPU consumption.

While no explicit commands are provided in the resources, you can use system monitoring tools such as top, htop, or ps on Linux to observe CPU spikes during request processing.

Additionally, network traffic capture tools like tcpdump or Wireshark can be used to inspect HTTP request bodies for suspicious patterns of repeated semicolon-separated fields.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the python-multipart library to version 0.0.30 or later.

Version 0.0.30 fixes the vulnerability by changing the parser to treat only ampersands (&) as field separators, which reduces the parsing time complexity from quadratic to linear.

This upgrade prevents attackers from exploiting the quadratic-time parsing issue and avoids excessive CPU consumption and potential denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart