CVE-2025-54121
published 2025-07-21CVE-2025-54121: Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.53%
40.5th percentile
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | starlette | < starlette 0.46.1-3 (forky) | starlette 0.46.1-3 (forky) |
| encode | starlette | < 0.47.2 | 0.47.2 |
| encode | starlette | >= 0 < 0.46.1-3 | 0.46.1-3 |
| encode | starlette | >= 0 < 0.46.1-3 | 0.46.1-3 |
| encode | starlette | >= 0 < 0.47.2 | 0.47.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
starlette: Starlette denial-of-service
vendor_redhat·2025-07-21·CVSS 5.3
CVE-2025-54121 [MEDIUM] CWE-770 starlette: Starlette denial-of-service
starlette: Starlette denial-of-service
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
A denial of service flaw was found in the Starlette ASGI framework. This flaw allows a remote attacker to submit a specially crafted
Debian
CVE-2025-54121: starlette - Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framewor...
vendor_debian·2025·CVSS 5.3
CVE-2025-54121 [MEDIUM] CVE-2025-54121: starlette - Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framewor...
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 0.46.1-3)
sid: resolved (fixed in 0.46.1-3)
trixie: resolved (fixed in 0.46.1-3)
GHSA
Starlette has possible denial-of-service vector when parsing large files in multipart forms
ghsa·2025-07-21
CVE-2025-54121 [MEDIUM] CWE-770 Starlette has possible denial-of-service vector when parsing large files in multipart forms
Starlette has possible denial-of-service vector when parsing large files in multipart forms
### Summary
When parsing a multi-part form with large files (greater than the [default max spool size](https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/formparsers.py#L126)) `starlette` will block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.
### Details
Please see this discussion for details: https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403. In summary the following UploadFile code (copied from [here](https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14)) has a minor bug. Instead
OSV
Starlette has possible denial-of-service vector when parsing large files in multipart forms
osv·2025-07-21
CVE-2025-54121 [MEDIUM] Starlette has possible denial-of-service vector when parsing large files in multipart forms
Starlette has possible denial-of-service vector when parsing large files in multipart forms
### Summary
When parsing a multi-part form with large files (greater than the [default max spool size](https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/formparsers.py#L126)) `starlette` will block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.
### Details
Please see this discussion for details: https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403. In summary the following UploadFile code (copied from [here](https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14)) has a minor bug. Instead
OSV
CVE-2025-54121: Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python
osv·2025-07-21·CVSS 5.3
CVE-2025-54121 [MEDIUM] CVE-2025-54121: Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
No detection rules found.
No public exploits indexed.
https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73
2025-07-21
Published