VYPR
High severity7.5OSV Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-62727

CVE-2025-62727

Description

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
starlettePyPI
>= 0.39.0, < 0.49.10.49.1

Affected products

45

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.