CVE-2026-53539
Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the separator and contains no &, every field iteration performed a full failed & scan over the entire remaining buffer before locating the nearby ;. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk. An attacker can submit a small crafted body of the form a;a;a;... and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes. This vulnerability is fixed in 0.0.30.
INFO
Published Date :
June 22, 2026, 4:55 p.m.
Last Modified :
June 22, 2026, 4:55 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2026-53539
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update Python-Multipart to 0.0.30 or later.
- Ensure proper input validation for form data.
- Monitor system performance for resource exhaustion.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-53539 vulnerability anywhere in the article.