GHSA-6jv3-5f52-599m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6jv3-5f52-599m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-6jv3-5f52-599m/GHSA-6jv3-5f52-599m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6jv3-5f52-599m
- Aliases
-
- CVE-2026-53538
- Downstream
- Related
- Published
- 2026-06-15T20:22:25Z
- Modified
- 2026-06-17T04:59:18.715016166Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
- Details
-
Summary
QuerystringParsertreated;as a field separator inapplication/x-www-form-urlencodedbodies, in addition to&. The WHATWG URL standard, modern browsers, and Python'surllib.parse(since the CVE-2021-23336 fix) treat only&as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component.Details
In
python_multipart/multipart.py, theFIELD_NAMEandFIELD_DATAstates located the next separator by scanning for&and, failing that, for;:sep_pos = data.find(b"&", i) if sep_pos == -1: sep_pos = data.find(b";", i)As a result,
;acted as a field boundary. Because the fallback only triggered when no&remained in the current chunk, tokenization also depended on unrelated bytes later in the buffer and on how the body was split acrosswrite()calls. This is the same class of issue as CVE-2021-23336 in CPython'surllib.parse.For example, a body inspecting WAF or gateway that follows the WHATWG rule (only
&separates fields) receives:role=user&x=;role=adminThe upstream parses two fields,
role=userandx=";role=admin", sees a benignrole=user, and forwards the request.QuerystringParserparsed the same bytes as three fields:role="user",x="", androle="admin". The application (for example via Starlette/FastAPIrequest.form(), where the last value wins) then receivedrole=admin, a value the upstream validator never saw.The parser is reachable through the public
QuerystringParserclass, the high levelFormParser,create_form_parser, andparse_formAPIs, and Starlette/FastAPIrequest.form()for url encoded bodies.Impact
Interpretation conflict / HTTP parameter pollution. An attacker can smuggle extra or overriding form fields past an upstream component that applies the WHATWG separator rule, reaching the backend with parameters the intermediary did not observe.
Mitigation
Upgrade to
python-multipart0.0.30or later, which treats only&as a field separator per the WHATWG URL standard.;is parsed as ordinary field data, matchingurllib.parse, browsers, and other compliant parsers. - Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2026-06-15T20:22:25Z", "github_reviewed": true, "severity": "LOW", "cwe_ids": [ "CWE-436", "CWE-444" ] }- References
Affected packages
PyPI / python-multipart
Package
- Name
- python-multipart
- View open source insights on deps.dev
- Purl
- pkg:pypi/python-multipart
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.0.30