VYPR

Starlette

by Kludex

pypi: starlette

Source repositories

CVEs (8)

  • CVE-2024-47874HigOct 15, 2024
    risk 0.50cvss epss 0.01

    Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload…

  • CVE-2025-62727HigOct 28, 2025
    risk 0.42cvss 7.5epss 0.01

    Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This…

  • CVE-2026-54283higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can…

  • CVE-2026-48818higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary When serving static files on Windows, `StaticFiles` resolves the requested path with [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as `\\attacker.com\share`) reaches the resolver, `realpath` causes the…

  • CVE-2026-48710MedMay 26, 2026
    risk 0.35cvss 6.5epss 0.01

    Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host`…

  • CVE-2025-54121MedJul 21, 2025
    risk 0.27cvss 5.3epss 0.01

    Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will…

  • CVE-2026-54282lowJun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary In affected versions, the HTTP request path is not validated before being used to reconstruct `request.url`. Because `request.url` is rebuilt by concatenating `{scheme}://{host}{path}` and re-parsing the result, a path that does not begin with `/` (for example…

  • CVE-2026-48817Jun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary When dispatching a request, `HTTPEndpoint` selects the handler by lowercasing the HTTP method and looking it up as an attribute with `getattr`, without restricting the lookup to a known set of HTTP verbs. When an `HTTPEndpoint` subclass is registered through…