CVE-2026-53540

parse form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.

parse form() reads the input stream in chunks, never reading more than the remaining Content-Length at a time. The per-chunk size is computed as min(content length - bytes read, chunk size). The header value was parsed to an integer without checking its sign, so a Content-Length of -1 made this expression negative, and input stream.read(-1) reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends.

This only affects code that calls parse form() directly with a Content-Length header taken from attacker-controlled input and without normalizing a negative value first. No known package is affected:

The realistic exposure is limited to bespoke WSGI or http.server handlers that forward raw client headers into parse form(). In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service.

Upgrade to version 0.0.31 or later, which rejects a negative Content-Length with a ValueError before reading the stream.