Threat Intelligence Database

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.

CVE-2026-53539 is a high-severity vulnerability in Kludex python-multipart prior to version 0.0.30. The issue arises when parsing application/x-www-form-urlencoded bodies that use semicolon (;) as a field separator without ampersands (&). The parser performs an inefficient scan for & on every field iteration, causing quadratic time complexity in CPU usage. This can lead to excessive CPU consumption and potential denial of service when processing crafted requests. The vulnerability is fixed in version 0.0.30.

A vulnerability in python-multipart prior to version 0.0.30 allows interpretation conflicts in parsing application/x-www-form-urlencoded bodies. The QuerystringParser treated the semicolon (;) as a field separator in addition to the ampersand (&), which is inconsistent with the WHATWG URL standard and modern browsers. This discrepancy can enable an attacker to smuggle extra form fields past upstream body inspection components. The issue is fixed in version 0.0.30.

A vulnerability in python-multipart prior to version 0.0.30 allows improper input validation of multipart/form-data headers. The parser incorrectly applies RFC 2231/5987 decoding to Content-Disposition headers, which is forbidden by RFC 7578 for multipart/form-data. This discrepancy can be exploited to smuggle altered field names or filenames past upstream security components that do not implement the same decoding, potentially leading to information manipulation. The issue is fixed in version 0.0.30.