Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0037
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.
Publish Date: 2026-05-15
URL: WS-2023-0037
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-74m5-2c7w-9w3x
Release Date: 2023-02-14
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
CVE-2026-54283
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Summary "request.form()" accepts "max_fields" and "max_part_size" to bound resource consumption while parsing form data. These limits are enforced for "multipart/form-data", but silently ignored for "application/x-www-form-urlencoded". An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. Details "request.form()" dispatches to a different parser depending on the "Content-Type". For "multipart/form-data" the "max_files", "max_fields", and "max_part_size" limits are forwarded to the parser, but for "application/x-www-form-urlencoded" the parser is constructed without them. It has no "max_fields" or "max_part_size" parameter to receive them, and it appends every field with no count check and accumulates each field's name and value with no size check. The configured limits are therefore both unreachable and unenforced for url-encoded bodies. Because the url-encoded parser does its work synchronously between stream reads, the two attack shapes have different effects: - Field count drives CPU and event-loop blocking. A body of ~1,000,000 fields (a sub-10MB payload such as "f0=v&f1=v&...") blocks the worker's event loop for several seconds while parsing, during which the worker serves no other request. - Field size drives memory. A single large field value (e.g. a 50MB value) is buffered in full to build the "FormData", forcing memory allocation proportional to the request body. The equivalent "multipart/form-data" request is correctly rejected with "400 Too many fields" / "400 Field exceeded maximum size". Impact This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) that call "request.form()" on "application/x-www-form-urlencoded" requests. A single request with a very large number of fields blocks the event loop for several seconds, and a single request with a very large field forces unbounded memory allocation; in either case, parallel requests can render the service unusable. A reverse proxy that enforces a request body size limit reduces but does not eliminate the exposure, since a sub-10MB body is already enough to block the event loop. Mitigation Upgrade to a patched version, which forwards "max_fields" and "max_part_size" to the url-encoded parser and enforces them while parsing, raising before the oversized field or excess fields are accumulated. The defaults match "multipart/form-data" ("max_fields=1000", "max_part_size=1MB") and can be customized via "request.form(max_fields=..., max_part_size=...)".
Publish Date: 2026-06-15
URL: CVE-2026-54283
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-82w8-qh3p-5jfq
Release Date: 2026-06-15
Fix Resolution: starlette - 1.3.1
Step up your Open Source Security Game with Mend here
CVE-2026-48818
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Summary When serving static files on Windows, "StaticFiles" resolves the requested path with ""os.path.realpath"" (https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as "\attacker.com\share") reaches the resolver, "realpath" causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account's NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts. Details "StaticFiles.lookup_path()" joins the requested path onto the served directory and calls ""os.path.realpath"" (https://docs.python.org/3/library/os.path.html#os.path.realpath) on the result before checking containment with ""os.path.commonpath"" (https://docs.python.org/3/library/os.path.html#os.path.commonpath). On Windows, a UNC path is absolute, so ""os.path.join"" (https://docs.python.org/3/library/os.path.html#os.path.join) discards the served directory and "realpath" resolves the bare UNC path, triggering the outbound SMB connection and NTLM authentication before the containment check rejects the path. The HTTP response is a benign 404, but the credential disclosure has already happened. POSIX systems are not affected. This only affects the default configuration ("follow_symlink=False"), which uses ""os.path.realpath"" (https://docs.python.org/3/library/os.path.html#os.path.realpath). The "follow_symlink=True" branch uses ""os.path.abspath"" (https://docs.python.org/3/library/os.path.html#os.path.abspath), which performs no I/O. Impact Applications running on Windows that serve files with "StaticFiles" (directly, or via a framework built on Starlette such as FastAPI) in the default configuration are affected. "StaticFiles" is typically unauthenticated, so any client can trigger the SMB connection and leak the service account's NTLMv2 hash. A secondary impact is discovering internal hosts reachable over SMB by timing responses for valid versus invalid addresses. Mitigation Applications not running on Windows are not affected. On Windows, serving static files through a dedicated web server (such as nginx or IIS) instead of "StaticFiles" avoids the issue. Blocking outbound SMB (port 445) from the application host prevents the credential disclosure even if a UNC path is resolved.
Publish Date: 2026-06-15
URL: CVE-2026-48818
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/encode/starlette.git - 1.1.0,starlette - 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2025-62727
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Publish Date: 2025-10-28
URL: CVE-2025-62727
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7f5h-v6xp-fcq8
Release Date: 2025-10-28
Fix Resolution: starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1
Step up your Open Source Security Game with Mend here
CVE-2024-47874
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
Publish Date: 2024-10-15
URL: CVE-2024-47874
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47874
Release Date: 2024-10-15
Fix Resolution: 0.40.0
Step up your Open Source Security Game with Mend here
CVE-2023-30798
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Publish Date: 2023-04-21
URL: CVE-2023-30798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30798
Release Date: 2023-04-21
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
CVE-2023-29159
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
Publish Date: 2023-06-01
URL: CVE-2023-29159
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-06-01
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here
CVE-2026-48710
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.
Publish Date: 2026-05-26
URL: CVE-2026-48710
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-86qp-5c8j-p5mr
Release Date: 2026-05-26
Fix Resolution: 1.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-48817
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Summary When dispatching a request, "HTTPEndpoint" selects the handler by lowercasing the HTTP method and looking it up as an attribute with "getattr", without restricting the lookup to a known set of HTTP verbs. When an "HTTPEndpoint" subclass is registered through "Route(...)" without an explicit "methods=" argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. Details "HTTPEndpoint" uses the client-supplied method name to resolve an instance attribute, without validating it against the set of HTTP verbs the endpoint supports. A method such as "_DO_DELETE" therefore resolves an attribute like "_do_delete" and invokes it. Non-standard methods are valid "RFC 9110" (https://www.rfc-editor.org/rfc/rfc9110#name-method) token methods, so an endpoint must not treat the method name as a trusted attribute selector. Impact An application is affected when all of the following hold: * It defines an "HTTPEndpoint" subclass and registers it via "Route(...)" without an explicit "methods=" argument. * The subclass defines additional methods whose names match a non-standard HTTP-method token shape and that accept a single "request" argument and return a response. This also affects frameworks built on Starlette, like FastAPI. Mitigation Register "HTTPEndpoint" subclasses with an explicit "methods=" argument on the "Route", listing only the HTTP verbs the endpoint supports. The route then rejects any other method with "405 Method Not Allowed" before it reaches the endpoint, so non-standard methods cannot resolve an attribute.
Publish Date: 2026-06-15
URL: CVE-2026-48817
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-x746-7m8f-x49c
Release Date: 2026-06-15
Fix Resolution: starlette - 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2025-54121
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Publish Date: 2025-07-21
URL: CVE-2025-54121
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2c2j-9gv5-cj73
Release Date: 2025-07-21
Fix Resolution: 0.47.2
Step up your Open Source Security Game with Mend here
WS-2023-0138
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
starlette before 0.27.0 is vulnerable to Path Traversal. When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is als. which vulnerability.
Publish Date: 2026-05-15
URL: WS-2023-0138
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-05-16
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here
CVE-2026-54282
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Summary In affected versions, the HTTP request path is not validated before being used to reconstruct "request.url". Because "request.url" is rebuilt by concatenating "{scheme}://{host}{path}" and re-parsing the result, a path that does not begin with "/" (for example "@google.com") moves the authority boundary during re-parsing, so "request.url.hostname" and "request.url.netloc" become attacker-controlled. Code that reads "request.url.hostname" (rather than the "Host" header or "scope") can therefore be misled into trusting an attacker-supplied host. Details When a client requests a path that does not start with "/": GET @google.com HTTP/1.1 Host: localhost affected versions reconstruct the URL as "http://localhost@google.com". Per "RFC 3986 §3.2.1" (https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.1), the substring before "@" in the authority is "userinfo", so re-parsing yields "username = "localhost"" and "hostname = "google.com"", with an empty path: request.url == "http://localhost@google.com" request.url.hostname == "google.com" request.url.path == "" The root cause is that the path is concatenated directly after the host without a separating "/", and without validating that it begins with one. Only the "Host" header was validated when constructing "request.url"; the path was not. This requires an ASGI server that forwards a request-target lacking a leading "/" into "scope["path"]". Impact Any application running an affected version that uses "request.url", "request.url.netloc", or "request.url.hostname" for a security-sensitive decision (host-based authorization, redirect/callback base, SSRF target, cache key, audit log) may be affected, when no fronting proxy or load balancer rejects the malformed request-target first. Note that this is less exploitable than "GHSA-86qp-5c8j-p5mr" (GHSA-86qp-5c8j-p5mr): there, the poison is carried in the "Host" header, so the real path still routes to a valid endpoint while "request.url.path" lies. Here, the poison must be carried in the path itself, and that path ("@google.com") does not match any registered route, so routing returns "404" and no endpoint handler runs. The exposure is limited to code that reads "request.url" before routing - notably middleware - or in 404/exception handlers. Mitigation Upgrade to a patched version, which prevents the request path from crossing into the URL authority. The request above instead yields "http://localhost/@google.com" with "request.url.hostname == "localhost"".
Publish Date: 2026-06-15
URL: CVE-2026-54282
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jp82-jpqv-5vv3
Release Date: 2026-06-15
Fix Resolution: starlette - 1.3.0
Step up your Open Source Security Game with Mend here
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.
Publish Date: 2026-05-15
URL: WS-2023-0037
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-74m5-2c7w-9w3x
Release Date: 2023-02-14
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Summary "request.form()" accepts "max_fields" and "max_part_size" to bound resource consumption while parsing form data. These limits are enforced for "multipart/form-data", but silently ignored for "application/x-www-form-urlencoded". An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. Details "request.form()" dispatches to a different parser depending on the "Content-Type". For "multipart/form-data" the "max_files", "max_fields", and "max_part_size" limits are forwarded to the parser, but for "application/x-www-form-urlencoded" the parser is constructed without them. It has no "max_fields" or "max_part_size" parameter to receive them, and it appends every field with no count check and accumulates each field's name and value with no size check. The configured limits are therefore both unreachable and unenforced for url-encoded bodies. Because the url-encoded parser does its work synchronously between stream reads, the two attack shapes have different effects: - Field count drives CPU and event-loop blocking. A body of ~1,000,000 fields (a sub-10MB payload such as "f0=v&f1=v&...") blocks the worker's event loop for several seconds while parsing, during which the worker serves no other request. - Field size drives memory. A single large field value (e.g. a 50MB value) is buffered in full to build the "FormData", forcing memory allocation proportional to the request body. The equivalent "multipart/form-data" request is correctly rejected with "400 Too many fields" / "400 Field exceeded maximum size". Impact This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) that call "request.form()" on "application/x-www-form-urlencoded" requests. A single request with a very large number of fields blocks the event loop for several seconds, and a single request with a very large field forces unbounded memory allocation; in either case, parallel requests can render the service unusable. A reverse proxy that enforces a request body size limit reduces but does not eliminate the exposure, since a sub-10MB body is already enough to block the event loop. Mitigation Upgrade to a patched version, which forwards "max_fields" and "max_part_size" to the url-encoded parser and enforces them while parsing, raising before the oversized field or excess fields are accumulated. The defaults match "multipart/form-data" ("max_fields=1000", "max_part_size=1MB") and can be customized via "request.form(max_fields=..., max_part_size=...)".
Publish Date: 2026-06-15
URL: CVE-2026-54283
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-82w8-qh3p-5jfq
Release Date: 2026-06-15
Fix Resolution: starlette - 1.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Summary When serving static files on Windows, "StaticFiles" resolves the requested path with ""os.path.realpath"" (https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as "\attacker.com\share") reaches the resolver, "realpath" causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account's NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts. Details "StaticFiles.lookup_path()" joins the requested path onto the served directory and calls ""os.path.realpath"" (https://docs.python.org/3/library/os.path.html#os.path.realpath) on the result before checking containment with ""os.path.commonpath"" (https://docs.python.org/3/library/os.path.html#os.path.commonpath). On Windows, a UNC path is absolute, so ""os.path.join"" (https://docs.python.org/3/library/os.path.html#os.path.join) discards the served directory and "realpath" resolves the bare UNC path, triggering the outbound SMB connection and NTLM authentication before the containment check rejects the path. The HTTP response is a benign 404, but the credential disclosure has already happened. POSIX systems are not affected. This only affects the default configuration ("follow_symlink=False"), which uses ""os.path.realpath"" (https://docs.python.org/3/library/os.path.html#os.path.realpath). The "follow_symlink=True" branch uses ""os.path.abspath"" (https://docs.python.org/3/library/os.path.html#os.path.abspath), which performs no I/O. Impact Applications running on Windows that serve files with "StaticFiles" (directly, or via a framework built on Starlette such as FastAPI) in the default configuration are affected. "StaticFiles" is typically unauthenticated, so any client can trigger the SMB connection and leak the service account's NTLMv2 hash. A secondary impact is discovering internal hosts reachable over SMB by timing responses for valid versus invalid addresses. Mitigation Applications not running on Windows are not affected. On Windows, serving static files through a dedicated web server (such as nginx or IIS) instead of "StaticFiles" avoids the issue. Blocking outbound SMB (port 445) from the application host prevents the credential disclosure even if a UNC path is resolved.
Publish Date: 2026-06-15
URL: CVE-2026-48818
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/encode/starlette.git - 1.1.0,starlette - 1.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Publish Date: 2025-10-28
URL: CVE-2025-62727
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7f5h-v6xp-fcq8
Release Date: 2025-10-28
Fix Resolution: starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats
multipart/form-dataparts without afilenameas text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.Publish Date: 2024-10-15
URL: CVE-2024-47874
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47874
Release Date: 2024-10-15
Fix Resolution: 0.40.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Publish Date: 2023-04-21
URL: CVE-2023-30798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30798
Release Date: 2023-04-21
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
Publish Date: 2023-06-01
URL: CVE-2023-29159
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-06-01
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.
Publish Date: 2026-05-26
URL: CVE-2026-48710
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-86qp-5c8j-p5mr
Release Date: 2026-05-26
Fix Resolution: 1.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Summary When dispatching a request, "HTTPEndpoint" selects the handler by lowercasing the HTTP method and looking it up as an attribute with "getattr", without restricting the lookup to a known set of HTTP verbs. When an "HTTPEndpoint" subclass is registered through "Route(...)" without an explicit "methods=" argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. Details "HTTPEndpoint" uses the client-supplied method name to resolve an instance attribute, without validating it against the set of HTTP verbs the endpoint supports. A method such as "_DO_DELETE" therefore resolves an attribute like "_do_delete" and invokes it. Non-standard methods are valid "RFC 9110" (https://www.rfc-editor.org/rfc/rfc9110#name-method) token methods, so an endpoint must not treat the method name as a trusted attribute selector. Impact An application is affected when all of the following hold: * It defines an "HTTPEndpoint" subclass and registers it via "Route(...)" without an explicit "methods=" argument. * The subclass defines additional methods whose names match a non-standard HTTP-method token shape and that accept a single "request" argument and return a response. This also affects frameworks built on Starlette, like FastAPI. Mitigation Register "HTTPEndpoint" subclasses with an explicit "methods=" argument on the "Route", listing only the HTTP verbs the endpoint supports. The route then rejects any other method with "405 Method Not Allowed" before it reaches the endpoint, so non-standard methods cannot resolve an attribute.
Publish Date: 2026-06-15
URL: CVE-2026-48817
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-x746-7m8f-x49c
Release Date: 2026-06-15
Fix Resolution: starlette - 1.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Publish Date: 2025-07-21
URL: CVE-2025-54121
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2c2j-9gv5-cj73
Release Date: 2025-07-21
Fix Resolution: 0.47.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
starlette before 0.27.0 is vulnerable to Path Traversal. When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is als. which vulnerability.
Publish Date: 2026-05-15
URL: WS-2023-0138
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-05-16
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Summary In affected versions, the HTTP request path is not validated before being used to reconstruct "request.url". Because "request.url" is rebuilt by concatenating "{scheme}://{host}{path}" and re-parsing the result, a path that does not begin with "/" (for example "@google.com") moves the authority boundary during re-parsing, so "request.url.hostname" and "request.url.netloc" become attacker-controlled. Code that reads "request.url.hostname" (rather than the "Host" header or "scope") can therefore be misled into trusting an attacker-supplied host. Details When a client requests a path that does not start with "/": GET @google.com HTTP/1.1 Host: localhost affected versions reconstruct the URL as "http://localhost@google.com". Per "RFC 3986 §3.2.1" (https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.1), the substring before "@" in the authority is "userinfo", so re-parsing yields "username = "localhost"" and "hostname = "google.com"", with an empty path: request.url == "http://localhost@google.com" request.url.hostname == "google.com" request.url.path == "" The root cause is that the path is concatenated directly after the host without a separating "/", and without validating that it begins with one. Only the "Host" header was validated when constructing "request.url"; the path was not. This requires an ASGI server that forwards a request-target lacking a leading "/" into "scope["path"]". Impact Any application running an affected version that uses "request.url", "request.url.netloc", or "request.url.hostname" for a security-sensitive decision (host-based authorization, redirect/callback base, SSRF target, cache key, audit log) may be affected, when no fronting proxy or load balancer rejects the malformed request-target first. Note that this is less exploitable than "GHSA-86qp-5c8j-p5mr" (GHSA-86qp-5c8j-p5mr): there, the poison is carried in the "Host" header, so the real path still routes to a valid endpoint while "request.url.path" lies. Here, the poison must be carried in the path itself, and that path ("@google.com") does not match any registered route, so routing returns "404" and no endpoint handler runs. The exposure is limited to code that reads "request.url" before routing - notably middleware - or in 404/exception handlers. Mitigation Upgrade to a patched version, which prevents the request path from crossing into the URL authority. The request above instead yields "http://localhost/@google.com" with "request.url.hostname == "localhost"".
Publish Date: 2026-06-15
URL: CVE-2026-54282
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jp82-jpqv-5vv3
Release Date: 2026-06-15
Fix Resolution: starlette - 1.3.0
Step up your Open Source Security Game with Mend here