rpm package
opensuse/python-starlette&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-starlette&distro=openSUSE%20Tumbleweed
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-54282 | low | — | < 1.3.1-1.1 | 1.3.1-1.1 | Jun 15, 2026 | ### Summary In affected versions, the HTTP request path is not validated before being used to reconstruct `request.url`. Because `request.url` is rebuilt by concatenating `{scheme}://{host}{path}` and re-parsing the result, a path that does not begin with `/` (for example `@goog | |
| CVE-2026-48710 | Med | 6.5 | < 1.2.0-1.1 | 1.2.0-1.1 | May 26, 2026 | Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` hea | |
| CVE-2025-62727 | Hig | 7.5 | < 0.49.1-1.1 | 0.49.1-1.1 | Oct 28, 2025 | Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enabl | |
| CVE-2025-54121 | Med | 5.3 | < 0.47.2-1.1 | 0.47.2-1.1 | Jul 21, 2025 | Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will bl | |
| CVE-2024-47874 | Hig | — | < 0.41.0-1.1 | 0.41.0-1.1 | Oct 15, 2024 | Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload a |
- affected < 1.3.1-1.1fixed 1.3.1-1.1
### Summary In affected versions, the HTTP request path is not validated before being used to reconstruct `request.url`. Because `request.url` is rebuilt by concatenating `{scheme}://{host}{path}` and re-parsing the result, a path that does not begin with `/` (for example `@goog
- affected < 1.2.0-1.1fixed 1.2.0-1.1
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` hea
- affected < 0.49.1-1.1fixed 0.49.1-1.1
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enabl
- affected < 0.47.2-1.1fixed 0.47.2-1.1
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will bl
- affected < 0.41.0-1.1fixed 0.41.0-1.1
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload a