CVE-2026-53539 - Vulnerability Details

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the separator and contains no &, every field iteration performed a full failed & scan over the entire remaining buffer before locating the nearby ;. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk. An attacker can submit a small crafted body of the form a;a;a;... and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes. This vulnerability is fixed in 0.0.30.

Published: 2026-06-22

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Python-Multipart contains a quadratic-time querystring parsing bug that is triggered when a body uses semicolons as separators and contains no ampersands. Each field causes an exhaustive scan for ampersands before finding a semicolon, resulting in O(B²) comparisons for a body of size B. An attacker can craft a short body like a;a;a;… to force the parser to spend seconds of CPU per request, potentially exhausting server resources. This flaw provides a denial‑of‑service vulnerability by exhausting CPU cycles of the application, with no direct exploitation of confidentiality or integrity.

Affected Systems

Kludex:python-multipart, all versions prior to 0.0.30. The vulnerability is patched in 0.0.30 and later releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact through remote exploitation. No EPSS data is available, and the flaw is not listed in CISA KEV. The attack requires only a crafted HTTP request body using semicolons, which can be sent by any external host. Multiple concurrent requests can saturate worker processes, leading to service degradation. No privileged access is needed and the vulnerability can be leveraged from outside the network if the endpoint remains exposed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Kludex

python-multipart

affected

Version	Status	Constraints
`< 0.0.30`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the python-multipart package to version 0.0.30 or newer, which removes the quadratic behavior.
If an upgrade is not immediately possible, filter or reject request bodies that use semicolons or enforce a stricter parser that does not perform the expensive lookup.
Implement application-level rate limiting or CPU usage monitoring to detect and mitigate sudden spikes in request size or frequency.

Generated by OpenCVE AI on June 22, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5rvq-cxj2-64vf	python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Kludex/python-multipart/security/advisories/GHSA-5rvq-cxj2-64vf

History

Mon, 22 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the separator and contains no &, every field iteration performed a full failed & scan over the entire remaining buffer before locating the nearby ;. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk. An attacker can submit a small crafted body of the form a;a;a;... and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes. This vulnerability is fixed in 0.0.30.
Title		Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
Weaknesses		CWE-400 CWE-407
References		https://github.com/Kludex/python-multipart/security/advisories/GHSA-5rvq-cxj2-64vf
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T16:55:42.787Z

Updated: 2026-06-22T16:55:42.787Z

Reserved: 2026-06-09T18:13:07.263Z

Link: CVE-2026-53539

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses

CWE-400
Uncontrolled Resource Consumption
CWE-407
Inefficient Algorithmic Complexity

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object