cbcvebase.

Encode Starlette vulnerabilities

11 known vulnerabilities affecting encode/starlette.

Total CVEs
11
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2026-48710P3MEDIUMCVSS 6.5PoC≥ 0.8.3, < 1.0.12026-05-26
CVE-2026-48710 [MEDIUM] CWE-444 CVE-2026-48710: Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request h Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the p
ghsanvd
CVE-2024-47874P3HIGHCVSS 8.7fixed in 0.40.02024-10-15
CVE-2024-47874 [HIGH] CWE-770 CVE-2024-47874: Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.4 Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down signific
ghsanvdosv
CVE-2023-29159P3HIGHCVSS 7.5≥ 0.13.5, < 0.27.0vversions 0.13.5 and later and prior to 0.27.02023-06-01
CVE-2023-29159 [HIGH] CWE-22 CVE-2023-29159: Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
ghsanvdosv
CVE-2026-48818P3HIGHCVSS 7.5fixed in 1.1.02026-06-17
CVE-2026-48818 [HIGH] CWE-918 CVE-2026-48818: Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Win Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even thou
ghsanvd
CVE-2025-62727P3HIGHCVSS 7.5≥ 0.39.0, < 0.49.12025-10-28
CVE-2025-62727 [HIGH] CWE-400 Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse`` Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse`` ### Summary An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's `FileResponse` Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving file
ghsaosv
CVE-2026-54283P3HIGHCVSS 7.5≥ 0.4.1, < 1.3.12026-06-22
CVE-2026-54283 [HIGH] CWE-770 CVE-2026-54283: Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts ma Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded
ghsanvd
CVE-2024-24762P3HIGHCVSS 7.5fixed in 0.36.22024-02-05
CVE-2024-24762 [HIGH] CWE-400 CVE-2024-24762: `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipa `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minu
nvd
CVE-2023-30798P3HIGHCVSS 7.5fixed in 0.25.02023-04-21
CVE-2023-30798 [HIGH] CWE-400 CVE-2023-30798: There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
ghsanvdosv
CVE-2026-48817P4MEDIUMCVSS 5.3fixed in 1.1.02026-06-17
CVE-2026-48817 [MEDIUM] CWE-470 CVE-2026-48817: Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a r Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without
ghsanvd
CVE-2026-54282P4MEDIUMCVSS 5.3fixed in 1.3.02026-06-22
CVE-2026-54282 [MEDIUM] CWE-706 CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not vali Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-p
ghsanvd
CVE-2025-54121P4MEDIUMCVSS 5.3fixed in 0.47.22025-07-21
CVE-2025-54121 [MEDIUM] CWE-770 CVE-2025-54121: Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event
ghsanvdosv
Encode Starlette vulnerabilities | cvebase