CVE-2025-54121Allocation of Resources Without Limits or Throttling in Starlette

CWE-770Allocation of Resources Without Limits or Throttling6 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 54.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Encode StarletteDebian Starlette
Timeline
PublishedJul 21

Description

Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_me

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

CVEListV5encode/starlette< 0.47.2
PyPIencode/starlette< 0.47.2
Debianencode/starlette< 0.46.1-3+1
debiandebian/starlette< starlette 0.46.1-3 (forky)

🔴Vulnerability Details

3
GHSA
Starlette has possible denial-of-service vector when parsing large files in multipart forms2025-07-21
OSV
Starlette has possible denial-of-service vector when parsing large files in multipart forms2025-07-21
OSV
CVE-2025-54121: Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python2025-07-21

📋Vendor Advisories

2
Red Hat
starlette: Starlette denial-of-service2025-07-21
Debian
CVE-2025-54121: starlette - Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framewor...2025