CVE-2026-53539

Name	CVE-2026-53539
Description	Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the separator and contains no &, every field iteration performed a full failed & scan over the entire remaining buffer before locating the nearby ;. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk. An attacker can submit a small crafted body of the form a;a;a;... and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes. This vulnerability is fixed in 0.0.30.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-multipart (PTS)	bullseye	0.0.5-2	vulnerable
	bookworm	0.0.5-3	vulnerable
	trixie	0.0.20-1.1~deb13u1	vulnerable
	forky, sid	0.0.26-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python-multipart	source	(unstable)	(unfixed)

Notes

[trixie] - python-multipart <no-dsa> (Minor issue)
https://github.com/Kludex/python-multipart/security/advisories/GHSA-5rvq-cxj2-64vf
Fixed by: https://github.com/Kludex/python-multipart/commit/d69df35cd2cad9c72794c2c340db646afae957d8 (0.0.30)