Vulnerable Library - starlette-0.41.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/96/00/2b325970b3060c7cecebab6d295afe763365822b1306a12eeab198f74323/starlette-0.41.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130134701_RTDPGV/python_UUFPFG/202501301347031/env/lib/python3.8/site-packages/starlette-0.41.3.dist-info
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-62727
Vulnerable Library - starlette-0.41.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/96/00/2b325970b3060c7cecebab6d295afe763365822b1306a12eeab198f74323/starlette-0.41.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130134701_RTDPGV/python_UUFPFG/202501301347031/env/lib/python3.8/site-packages/starlette-0.41.3.dist-info
Dependency Hierarchy:
- ❌ starlette-0.41.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Publish Date: 2025-10-28
URL: CVE-2025-62727
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7f5h-v6xp-fcq8
Release Date: 2025-10-28
Fix Resolution: starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1
Step up your Open Source Security Game with Mend here
CVE-2026-48710
Vulnerable Library - starlette-0.41.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/96/00/2b325970b3060c7cecebab6d295afe763365822b1306a12eeab198f74323/starlette-0.41.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130134701_RTDPGV/python_UUFPFG/202501301347031/env/lib/python3.8/site-packages/starlette-0.41.3.dist-info
Dependency Hierarchy:
- ❌ starlette-0.41.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.
Publish Date: 2026-05-26
URL: CVE-2026-48710
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-86qp-5c8j-p5mr
Release Date: 2026-05-26
Fix Resolution: 1.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-54121
Vulnerable Library - starlette-0.41.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/96/00/2b325970b3060c7cecebab6d295afe763365822b1306a12eeab198f74323/starlette-0.41.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130134701_RTDPGV/python_UUFPFG/202501301347031/env/lib/python3.8/site-packages/starlette-0.41.3.dist-info
Dependency Hierarchy:
- ❌ starlette-0.41.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Publish Date: 2025-07-21
URL: CVE-2025-54121
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2c2j-9gv5-cj73
Release Date: 2025-07-21
Fix Resolution: 0.47.2
Step up your Open Source Security Game with Mend here
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/96/00/2b325970b3060c7cecebab6d295afe763365822b1306a12eeab198f74323/starlette-0.41.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130134701_RTDPGV/python_UUFPFG/202501301347031/env/lib/python3.8/site-packages/starlette-0.41.3.dist-info
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - starlette-0.41.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/96/00/2b325970b3060c7cecebab6d295afe763365822b1306a12eeab198f74323/starlette-0.41.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130134701_RTDPGV/python_UUFPFG/202501301347031/env/lib/python3.8/site-packages/starlette-0.41.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Publish Date: 2025-10-28
URL: CVE-2025-62727
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7f5h-v6xp-fcq8
Release Date: 2025-10-28
Fix Resolution: starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.41.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/96/00/2b325970b3060c7cecebab6d295afe763365822b1306a12eeab198f74323/starlette-0.41.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130134701_RTDPGV/python_UUFPFG/202501301347031/env/lib/python3.8/site-packages/starlette-0.41.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.
Publish Date: 2026-05-26
URL: CVE-2026-48710
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-86qp-5c8j-p5mr
Release Date: 2026-05-26
Fix Resolution: 1.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.41.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/96/00/2b325970b3060c7cecebab6d295afe763365822b1306a12eeab198f74323/starlette-0.41.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130134701_RTDPGV/python_UUFPFG/202501301347031/env/lib/python3.8/site-packages/starlette-0.41.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Publish Date: 2025-07-21
URL: CVE-2025-54121
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2c2j-9gv5-cj73
Release Date: 2025-07-21
Fix Resolution: 0.47.2
Step up your Open Source Security Game with Mend here