← back to lessons

2026-06-17 - python-multipart 0.0.31 fresh 4-CVE cluster: WALK CLEAN (sibling-quadratic hypothesis empirically disproved)

Date: 2026-06-17 Target: python-multipart 0.0.31 (fresh cluster, disclosed ~2026-06-16) Verdict: WALK CLEAN.

The cluster (4 fresh CVEs, one version line)

Completeness check (all fixed)

Sibling hypothesis tested and DISPROVED (the value of this cycle)

The querystring fix wouldn't touch _parseparam (the SEPARATE header-options ;-splitter, vendored from stdlib email._parseparam) which has an inner quote-counting loop s.count('"', ind, end) over a growing string -> I hypothesized an O(n^2) sibling on an unclosed-quote + many-semicolons Content-Type/Disposition header (attacker-controlled in uploads). EMPIRICAL timing: LINEAR (2k->16k semicolons = 2.5ms->19.7ms, ratio ~2x per 2x; N quoted params likewise exactly 2x). The windowed counts stay small per iteration -> no quadratic. Walk.

Lesson: when chasing a "quadratic in parser A" CVE, the natural set-difference is "parser B in the same lib

that ALSO splits on the same delimiter." Here that sibling (_parseparam) existed and was a plausible O(n^2) by inspection - but EMPIRICAL doubling-test disproved it (windowed counts != growing-range counts). Don't claim a complexity bug from code-shape alone; the constant-vs-quadratic distinction needs the timing test (mirrors the Django Truncator cycle where the timing CONFIRMED, here it REFUTED). Same method, opposite outcome = honest.

Predictor: python-multipart is small BUT a FastAPI/Starlette dep (moderate scrutiny) and the cluster was a

coordinated thorough disclosure -> swept. Fresh != automatically low-scrutiny. Cluster #1 of today's fresh hunt.

Generated 2026-07-02 13:15:03 UTC | auto-sync /15min