Encode Starlette vulnerabilities

6 known vulnerabilities affecting encode/starlette.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH5MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2025-62727HIGHCVSS 7.5≥ 0.39.0, < 0.49.12025-10-28
CVE-2025-62727 [HIGH] CWE-400 Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse`` Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse`` ### Summary An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's `FileResponse` Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving file
ghsaosv
CVE-2025-54121MEDIUMCVSS 5.3fixed in 0.47.22025-07-21
CVE-2025-54121 [MEDIUM] CWE-770 CVE-2025-54121: Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event
ghsanvdosv
CVE-2024-47874HIGHCVSS 8.7fixed in 0.40.02024-10-15
CVE-2024-47874 [HIGH] CWE-770 CVE-2024-47874: Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.4 Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down signific
ghsanvdosv
CVE-2024-24762HIGHCVSS 7.5fixed in 0.36.22024-02-05
CVE-2024-24762 [HIGH] CWE-400 CVE-2024-24762: `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipa `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minu
nvd
CVE-2023-29159HIGHCVSS 7.5≥ 0.13.5, < 0.27.0vversions 0.13.5 and later and prior to 0.27.02023-06-01
CVE-2023-29159 [HIGH] CWE-22 CVE-2023-29159: Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
ghsanvdosv
CVE-2023-30798HIGHCVSS 7.5fixed in 0.25.02023-04-21
CVE-2023-30798 [HIGH] CWE-400 CVE-2023-30798: There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
ghsanvdosv