EXECUTIVE SUMMARY:
CVE-2026-53539 with a CVSS score of 7.5 is a denial‑of‑service vulnerability in the python‑multipart library (pip/python-multipart) affecting all releases prior to version 0.0.30; the flaw resides in the QuerystringParser component used by Starlette, FastAPI, and any application that relies on python‑multipart to decode “application/x‑www‑form‑urlencoded” payloads. The parser attempts to locate field separators by first scanning the remaining buffer for an ampersand (“&”) and only falling back to a semicolon (“;”) when no ampersand is found, causing a full‑buffer scan on each field when only semicolons are present. An attacker can exploit this by sending a crafted HTTP POST request with a modestly sized body such as “a;a;a;…” and the appropriate Content‑Type header; no authentication or special privileges are required, only the ability to reach the vulnerable endpoint. Because each semicolon‑separated field triggers a costly failed scan, the parser’s runtime grows quadratically, consuming excessive CPU cycles and tying up worker processes for seconds per request. The resulting capability allows the attacker to degrade or entirely block service availability, leading to increased latency, potential downtime, and elevated operational costs. Exploitation requires that the vulnerable version be in use and that the request body be formatted with semicolons and no ampersands.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-53539 with a CVSS score of 7.5 is a denial‑of‑service vulnerability in the python‑multipart library (pip/python-multipart) affecting all releases prior to version 0.0.30; the flaw resides in the QuerystringParser component used by Starlette, FastAPI, and any application that relies on python‑multipart to decode “application/x‑www‑form‑urlencoded” payloads. The parser attempts to locate field separators by first scanning the remaining buffer for an ampersand (“&”) and only falling back to a semicolon (“;”) when no ampersand is found, causing a full‑buffer scan on each field when only semicolons are present. An attacker can exploit this by sending a crafted HTTP POST request with a modestly sized body such as “a;a;a;…” and the appropriate Content‑Type header; no authentication or special privileges are required, only the ability to reach the vulnerable endpoint. Because each semicolon‑separated field triggers a costly failed scan, the parser’s runtime grows quadratically, consuming excessive CPU cycles and tying up worker processes for seconds per request. The resulting capability allows the attacker to degrade or entirely block service availability, leading to increased latency, potential downtime, and elevated operational costs. Exploitation requires that the vulnerable version be in use and that the request body be formatted with semicolons and no ampersands.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-5rvq-cxj2-64vf