CVE-2026-53537

Name	CVE-2026-53537
Description	Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename=charset'lang'value, name=..., and the filename0/filename1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-multipart (PTS)	bullseye	0.0.5-2	vulnerable
	bookworm	0.0.5-3	vulnerable
	trixie	0.0.20-1.1~deb13u1	vulnerable
	forky, sid	0.0.26-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python-multipart	source	(unstable)	(unfixed)

Notes

[trixie] - python-multipart <no-dsa> (Minor issue)
https://github.com/Kludex/python-multipart/security/advisories/GHSA-vffw-93wf-4j4q
Fixed by: https://github.com/Kludex/python-multipart/commit/3506c15ce99cb62faf2d5ceb3c4c1e5800cb843d (0.0.30)