Fluid Attacks Database

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	python-multipart	>=0 <0.0.30	0.0.30
debian 11	python-multipart	=0.0.17-1 \|\| =0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1 \|\| =0.0.5-2 \|\| =0.0.5-3 \|\| =0.0.6-1 \|\| =0.0.9-1	-
debian 12	python-multipart	=0.0.17-1 \|\| =0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1 \|\| =0.0.5-3 \|\| =0.0.6-1 \|\| =0.0.9-1	-
debian 13	python-multipart	=0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1	-
debian 14	python-multipart	=0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1	-

Aliases

1. CVE-2026-535382. NVD-2026-535383. OSV-2026-535384. OSV-DEBIAN-2026-535385. GHSA-6jv3-5f52-599m6. GCVE-2026-535387. SECURITY-TRACKER-CVE-2026-53538

References

1. https://github.com/Kludex/python-multipart/security/advisories/GHSA-6jv3-5f52-599m