CVE-2026-53539

Name of the Vulnerable Software and Affected Versions python-multipart versions prior to 0.0.30

Description A quadratic complexity issue exists when parsing application/x-www-form-urlencoded bodies. The QuerystringParser performs a two-step lookup for field separators, scanning the entire remaining buffer for & before falling back to ;. If a body uses ; as a separator and contains no &, every field iteration triggers a full failed scan of the remaining buffer, resulting in O(B^2) byte comparisons per chunk. An attacker can submit a crafted body consisting of repeated separators to cause excessive CPU consumption, which can exhaust worker processes and lead to a denial of service. This parser is accessible via the QuerystringParser class and the FormParser, create form parser, and parse form APIs, and is utilized by Starlette and FastAPI for request.form() calls.

Recommendations Upgrade to version 0.0.30 or later.