Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Reachable over the network on default form endpoints with no auth or user interaction; availability-only impact via CPU exhaustion, no confidentiality or integrity effect.
Primary rating from Vendor (https://github.com/Kludex/python-multipart).
CVSS VectorVendor: https://github.com/Kludex/python-multipart
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 4 pypi packages depend on python-multipart (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.0.30.
DescriptionCVE.org
Summary
When parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the separator and contains no &, every field iteration performed a full failed & scan over the entire remaining buffer before locating the nearby ;. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk.
An attacker can submit a small crafted body of the form a;a;a;... and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes.
Details
In python_multipart/multipart.py, both the FIELD_NAME and FIELD_DATA states located the next separator like this:
sep_pos = data.find(b"&", i)
if sep_pos == -1:
sep_pos = data.find(b";", i)data.find(b"&", i) scans from i to the end of the buffer and returns -1 only when there is no & anywhere in the remainder. For a ; separated body with no &, this failed full buffer scan repeats once per field, making parsing quadratic in the body length.
For example, a 1 MiB url encoded body consisting of a; repeated ~500,000 times, submitted with Content-Type: application/x-www-form-urlencoded, causes the parser to perform on the order of 10^11 byte comparisons, consuming several seconds of CPU for a single request. Cost scales quadratically with chunk size.
The parser is reachable through the public QuerystringParser class and through the high level FormParser, create_form_parser, and parse_form APIs for url encoded bodies. It is also the parser Starlette and FastAPI use for application/x-www-form-urlencoded request bodies via request.form().
Impact
Uncontrolled CPU consumption (denial of service). Parsing is synchronous, so a single small crafted form body occupies the handling worker for seconds, blocking any other work on that worker until parsing finishes. Sustained concurrent requests keep workers continuously busy, degrading or denying service.
Mitigation
Upgrade to python-multipart 0.0.30 or later, which treats only & as a field separator (per the WHATWG URL standard) using a single bounded scan, making parsing linear in the body length.
AnalysisAI
Uncontrolled CPU consumption in python-multipart's QuerystringParser (versions <0.0.30) allows remote unauthenticated attackers to cause denial of service by submitting small crafted application/x-www-form-urlencoded bodies using semicolons as field separators. The two-step separator lookup degenerates into O(B²) byte comparisons, letting a ~1 MiB body burn seconds of CPU per request and exhaust workers in Starlette/FastAPI applications that call request.form(). No public exploit identified at time of analysis, though a clear proof-of-concept payload pattern (a;a;a;...) is described in the GHSA advisory.
Technical ContextAI
python-multipart is a streaming parser for multipart/form-data and application/x-www-form-urlencoded bodies, used as the default form parser by Starlette and FastAPI via request.form(). The flaw lives in python_multipart/multipart.py where the FIELD_NAME and FIELD_DATA state handlers call data.find(b"&", i) before falling back to data.find(b";", i); when the body uses only semicolons, the first call performs a full failed scan of the remaining buffer on every field iteration. This is a textbook CWE-400 (Uncontrolled Resource Consumption) algorithmic complexity attack - the per-chunk cost scales as O(B²) in body size B, which is amplified because parsing is synchronous and blocks the handling worker. The affected package is identified by pkg:pip/python-multipart and the fix (0.0.30) realigns behavior with the WHATWG URL standard by treating only & as the separator using a single bounded scan.
RemediationAI
Vendor-released patch: upgrade python-multipart to 0.0.30 or later, which uses a single bounded scan and only honors & as a field separator per the WHATWG URL standard, restoring linear-time parsing. Pin the constraint in requirements.txt/pyproject.toml (python-multipart>=0.0.30) and ensure transitive resolution in Starlette/FastAPI projects actually picks up the fix (verify with pip show python-multipart). If you cannot upgrade immediately, compensating controls include enforcing a tight maximum request body size at the reverse proxy or ASGI layer (e.g., nginx client_max_body_size, Uvicorn --limit-max-requests) to cap the quadratic cost, adding per-request CPU/time limits in the web server, or rejecting application/x-www-form-urlencoded bodies that contain semicolons before they reach the parser - note the last option will break any legitimate clients still sending semicolon-separated form data, though that pattern was deprecated by WHATWG. Refer to https://github.com/Kludex/python-multipart/security/advisories/GHSA-5rvq-cxj2-64vf for vendor guidance.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38322
GHSA-5rvq-cxj2-64vf