Vulnerability-Lookup

SUSE-SU-2026:22151-1

Vulnerability from csaf_suse - Published: 2026-06-17 08:36 - Updated: 2026-06-17 08:36

Summary

Security update for python-starlette

Severity

Important

Notes

Title of the patch: Security update for python-starlette

Description of the patch: This update for python-starlette fixes the following issues - CVE-2025-54121: denial-of-service when parsing a multi-part form with large files (bsc#1246855). - CVE-2025-62727: DoS via Range header merging (bsc#1252805). - CVE-2026-48710: Missing Host header validation poisons request.url.path, bypassing path-based security checks (bsc#1266369).

Patchnames: SUSE-SLES-16.0-940

CVE-2025-54121

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch		—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch		—	Vendor Fix

Threats

Impact moderate

CVE-2025-62727

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch		—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch		—	Vendor Fix

Threats

Impact important

CVE-2026-48710

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch		—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch		—	Vendor Fix

Threats

Impact moderate

References

16 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1246855	self
https://bugzilla.suse.com/1252805	self
https://bugzilla.suse.com/1266369	self
https://www.suse.com/security/cve/CVE-2025-54121/	self
https://www.suse.com/security/cve/CVE-2025-62727/	self
https://www.suse.com/security/cve/CVE-2026-48710/	self
https://www.suse.com/security/cve/CVE-2025-54121	external
https://bugzilla.suse.com/1246855	external
https://www.suse.com/security/cve/CVE-2025-62727	external
https://bugzilla.suse.com/1252805	external
https://www.suse.com/security/cve/CVE-2026-48710	external
https://bugzilla.suse.com/1266369	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-starlette",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-starlette fixes the following issues\n\n- CVE-2025-54121: denial-of-service when parsing a multi-part form with large files (bsc#1246855).\n- CVE-2025-62727: DoS via Range header merging (bsc#1252805).\n- CVE-2026-48710: Missing Host header validation poisons request.url.path, bypassing path-based security checks\n  (bsc#1266369).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLES-16.0-940",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22151-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:22151-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622151-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:22151-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026936.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1246855",
        "url": "https://bugzilla.suse.com/1246855"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252805",
        "url": "https://bugzilla.suse.com/1252805"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1266369",
        "url": "https://bugzilla.suse.com/1266369"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54121 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54121/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-62727 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-62727/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-48710 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-48710/"
      }
    ],
    "title": "Security update for python-starlette",
    "tracking": {
      "current_release_date": "2026-06-17T08:36:56Z",
      "generator": {
        "date": "2026-06-17T08:36:56Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:22151-1",
      "initial_release_date": "2026-06-17T08:36:56Z",
      "revision_history": [
        {
          "date": "2026-06-17T08:36:56Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-starlette-0.41.3-160000.3.1.noarch",
                "product": {
                  "name": "python313-starlette-0.41.3-160000.3.1.noarch",
                  "product_id": "python313-starlette-0.41.3-160000.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server 16.0",
                  "product_id": "SUSE Linux Enterprise Server 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-starlette-0.41.3-160000.3.1.noarch as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
        },
        "product_reference": "python313-starlette-0.41.3-160000.3.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-starlette-0.41.3-160000.3.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
        },
        "product_reference": "python313-starlette-0.41.3-160000.3.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-54121",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54121"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can\u0027t accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54121",
          "url": "https://www.suse.com/security/cve/CVE-2025-54121"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246855 for CVE-2025-54121",
          "url": "https://bugzilla.suse.com/1246855"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-17T08:36:56Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-54121"
    },
    {
      "cve": "CVE-2025-62727",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-62727"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette\u0027s FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial-of-service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-62727",
          "url": "https://www.suse.com/security/cve/CVE-2025-62727"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252805 for CVE-2025-62727",
          "url": "https://bugzilla.suse.com/1252805"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-17T08:36:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-62727"
    },
    {
      "cve": "CVE-2026-48710",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-48710"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 3.2 / RFC 3986 3.2.2 when constructing `request.url` and falls back to `scope[\"server\"]` for malformed values.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-48710",
          "url": "https://www.suse.com/security/cve/CVE-2026-48710"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266369 for CVE-2026-48710",
          "url": "https://bugzilla.suse.com/1266369"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.3.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-17T08:36:56Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-48710"
    }
  ]
}

CVE-2025-54121 (GCVE-0-2025-54121)

Vulnerability from cvelistv5 – Published: 2025-07-21 20:06 – Updated: 2025-07-22 19:54

Title

Starlette has possible denial-of-service vector when parsing large files in multipart forms

Summary

Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/encode/starlette/security/advi…	x_refsource_CONFIRM
https://github.com/encode/starlette/commit/9f7ec2…	x_refsource_MISC
https://github.com/encode/starlette/blob/fa535544…	x_refsource_MISC
https://github.com/encode/starlette/discussions/2…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
encode	starlette	Affected: < 0.47.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54121",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-22T19:54:16.504521Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-22T19:54:24.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "starlette",
          "vendor": "encode",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.47.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can\u0027t accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-21T20:06:03.818Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73"
        },
        {
          "name": "https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1"
        },
        {
          "name": "https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14"
        },
        {
          "name": "https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403"
        }
      ],
      "source": {
        "advisory": "GHSA-2c2j-9gv5-cj73",
        "discovery": "UNKNOWN"
      },
      "title": "Starlette has possible denial-of-service vector when parsing large files in multipart forms"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54121",
    "datePublished": "2025-07-21T20:06:03.818Z",
    "dateReserved": "2025-07-16T23:53:40.508Z",
    "dateUpdated": "2025-07-22T19:54:24.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-62727 (GCVE-0-2025-62727)

Vulnerability from cvelistv5 – Published: 2025-10-28 20:14 – Updated: 2025-11-04 17:41

Title

Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse

Summary

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/Kludex/starlette/security/advi…	x_refsource_CONFIRM
https://github.com/Kludex/starlette/commit/4ea6e2…	x_refsource_MISC
https://github.com/Kludex/starlette/commit/69ed26…	x_refsource_MISC
https://github.com/Kludex/starlette/releases/tag/0.49.1	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Kludex	starlette	Affected: >= 0.39.0, < 0.49.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62727",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-28T20:36:34.130234Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-28T20:36:49.189Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "starlette",
          "vendor": "Kludex",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.39.0, \u003c 0.49.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette\u0027s FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial\u2011of\u2011service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-04T17:41:42.316Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8"
        },
        {
          "name": "https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5"
        },
        {
          "name": "https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c"
        },
        {
          "name": "https://github.com/Kludex/starlette/releases/tag/0.49.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/starlette/releases/tag/0.49.1"
        }
      ],
      "source": {
        "advisory": "GHSA-7f5h-v6xp-fcq8",
        "discovery": "UNKNOWN"
      },
      "title": "Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62727",
    "datePublished": "2025-10-28T20:14:53.655Z",
    "dateReserved": "2025-10-20T19:41:22.742Z",
    "dateUpdated": "2025-11-04T17:41:42.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48710 (GCVE-0-2026-48710)

Vulnerability from cvelistv5 – Published: 2026-05-26 21:54 – Updated: 2026-06-27 05:17

Title

Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Summary

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-1289 - Improper Validation of Unsafe Equivalence in Input

Assigner

GitHub_M

References

15 references

URL	Tags
https://github.com/Kludex/starlette/security/advi…	x_refsource_CONFIRM
https://github.com/Kludex/starlette/commit/764dab…	x_refsource_MISC
https://badhost.org	x_refsource_MISC
https://github.com/pypa/advisory-database/tree/ma…	x_refsource_MISC
https://ostif.org/disclosing-the-badhost-vulnerab…	x_refsource_MISC
https://www.secwest.net/starlette	x_refsource_MISC
https://www.x41-dsec.de/lab/advisories/x41-2026-0…	x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2026-48710	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2481742	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:24866	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:23346	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22993	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26226	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22992	vendor-advisoryx_refsource_REDHAT

Impacted products

13 products

Vendor	Product	Version
Kludex	starlette	Affected: < 1.0.1
Red Hat	Red Hat Ansible Automation Platform 2.6	cpe:/a:redhat:ansible_automation_platform:2.6::el9
Red Hat	Red Hat Ansible Automation Platform 2.7	cpe:/a:redhat:ansible_automation_platform:2.7::el9
Red Hat	Red Hat Satellite 6.18	cpe:/a:redhat:satellite:6.18::el9
Red Hat	Red Hat Satellite 6.19	cpe:/a:redhat:satellite:6.19::el9
Red Hat	Exploit Intelligence	cpe:/a:redhat:exploit_intelligence:0
Red Hat	Migration Toolkit for Applications 8	cpe:/a:redhat:migration_toolkit_applications:8
Red Hat	OpenShift Lightspeed	cpe:/a:redhat:openshift_lightspeed
Red Hat	Red Hat AI Inference Server	cpe:/a:redhat:ai_inference_server:3
Red Hat	Red Hat Enterprise Linux AI (RHEL AI) 3	cpe:/a:redhat:enterprise_linux_ai:3
Red Hat	Red Hat OpenShift AI (RHOAI)	cpe:/a:redhat:openshift_ai
Red Hat	Red Hat Satellite 6	cpe:/a:redhat:satellite:6
Red Hat	Red Hat Ansible Automation Platform 2	cpe:/a:redhat:ansible_automation_platform:2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48710",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T14:22:19.241769Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T14:26:57.893Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.7::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:satellite:6.18::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Satellite 6.18",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:satellite:6.19::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Satellite 6.19",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:exploit_intelligence:0"
            ],
            "defaultStatus": "affected",
            "product": "Exploit Intelligence",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:migration_toolkit_applications:8"
            ],
            "defaultStatus": "affected",
            "product": "Migration Toolkit for Applications 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_lightspeed"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Lightspeed",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AI Inference Server",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-26T21:54:54.393Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Starlette, a lightweight ASGI (Asynchronous Server Gateway Interface) framework. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP `Host` request header. This malformed header could cause the `request.url` to be incorrectly reconstructed, leading to a discrepancy with the actual requested path. Consequently, security restrictions enforced by middleware and endpoints that rely on `request.url` for validation could be bypassed, potentially allowing unauthorized access or actions."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Critical"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1289",
                "description": "Improper Validation of Unsafe Equivalence in Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-27T05:17:18.789Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-48710"
          },
          {
            "name": "RHBZ#2481742",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481742"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48710.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24866"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:23346"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22993"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26226"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22992"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:23346: Red Hat Ansible Automation Platform 2.7"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22993: Red Hat Satellite 6.18"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26226: Red Hat Satellite 6.18"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22992: Red Hat Satellite 6.19"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-26T23:01:03.204Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-26T21:54:54.393Z",
            "value": "Made public."
          }
        ],
        "title": "starlette: Starlette: Security restriction bypass via malformed HTTP Host header",
        "workarounds": [
          {
            "lang": "en",
            "value": "Deploying an RFC-compliant reverse proxy (such as nginx, Apache, HAProxy, or Caddy) in front of the ASGI server will reject malformed Host headers before they reach the application. This is the most straightforward mitigation that does not require code changes.\n\nIf custom middleware is present, it should be updated to use `request.scope[\"path\"]` instead of `request.url.path` for any security decisions. The ASGI scope path is derived from the HTTP request line and is not influenced by the Host header, so it reflects the actual request target."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "starlette",
          "vendor": "Kludex",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 \u00a73.2 / RFC 3986 \u00a73.2.2 when constructing `request.url` and falls back to `scope[\"server\"]` for malformed values."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T21:54:54.393Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
        },
        {
          "name": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"
        },
        {
          "name": "https://badhost.org",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://badhost.org"
        },
        {
          "name": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml"
        },
        {
          "name": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette"
        },
        {
          "name": "https://www.secwest.net/starlette",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.secwest.net/starlette"
        },
        {
          "name": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette"
        }
      ],
      "source": {
        "advisory": "GHSA-86qp-5c8j-p5mr",
        "discovery": "UNKNOWN"
      },
      "title": "Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48710",
    "datePublished": "2026-05-26T21:54:54.393Z",
    "dateReserved": "2026-05-22T18:47:27.755Z",
    "dateUpdated": "2026-06-27T05:17:18.789Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:22151-1

CVE-2025-54121 (GCVE-0-2025-54121)

CVE-2025-62727 (GCVE-0-2025-62727)

CVE-2026-48710 (GCVE-0-2026-48710)

Tags

Sightings

Nomenclature