IA Squad
SearchPT
python · python-multipartCritical

python-multipart: Quadratic-time DoS in QuerystringParser fixed in 0.0.30

QuerystringParser in python-multipart performed quadratic-time scanning for field separators in application/x-www-form-urlencoded bodies, causing denial of service via crafted input.

16 Jun 2026Read 1 minSeverity: act now

What changed

QuerystringParser in python-multipart performed quadratic-time scanning for field separators in application/x-www-form-urlencoded bodies, causing denial of service via crafted input. Fixed in 0.0.30 by using only '&' as separator with linear scanning.

Who it affects

All users of python-multipart, including Starlette and FastAPI applications that parse url-encoded form data via request.form().

What to do today

Upgrade python-multipart to version 0.0.30 or later immediately.

The trail
Collected Audited Written Published
Source
GitHub Advisory · python-multipart

More on python-multipart

python · pyjwt

pyjwt: Unbounded JWKS fetch on unknown kid and cache wipe on network error

python · pyjwt

PyJWT algorithm allow-list bypass with PyJWK keys