Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-6wzh-4g3t-93gv

Summary

Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``
An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's `FileResponse` Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., `StaticFiles` or any use of `FileResponse`).

Aliases

alias	CVE-2025-62727

alias	GHSA-7f5h-v6xp-fcq8

Fixed_packages

url	pkg:deb/debian/starlette@0?distro=trixie
purl	pkg:deb/debian/starlette@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/starlette@0%3Fdistro=trixie

url pkg:deb/debian/starlette@0.14.1-1?distro=trixie

purl pkg:deb/debian/starlette@0.14.1-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5q-buqw-u7ex

vulnerability	VCID-71x5-qbjg-ukfq

vulnerability	VCID-8crr-rfdt-p7bq

vulnerability	VCID-vgxy-kjyx-bqfm

vulnerability	VCID-z97b-rhv4-17c5

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/starlette@0.14.1-1%3Fdistro=trixie

url	pkg:deb/debian/starlette@0.26.1-1?distro=trixie
purl	pkg:deb/debian/starlette@0.26.1-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/starlette@0.26.1-1%3Fdistro=trixie

url	pkg:deb/debian/starlette@0.46.1-3%2Bdeb13u1?distro=trixie
purl	pkg:deb/debian/starlette@0.46.1-3%2Bdeb13u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/starlette@0.46.1-3%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/starlette@0.50.0-1?distro=trixie
purl	pkg:deb/debian/starlette@0.50.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/starlette@0.50.0-1%3Fdistro=trixie

url	pkg:deb/debian/starlette@1.1.0-1?distro=trixie
purl	pkg:deb/debian/starlette@1.1.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/starlette@1.1.0-1%3Fdistro=trixie

url pkg:pypi/starlette@0.49.1

purl pkg:pypi/starlette@0.49.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5q-buqw-u7ex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/starlette@0.49.1

Affected_packages

url pkg:pypi/starlette@0.39.0

purl pkg:pypi/starlette@0.39.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5q-buqw-u7ex

vulnerability	VCID-6wzh-4g3t-93gv

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/starlette@0.39.0

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62727.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62727.json

reference_url

https://github.com/Kludex/starlette

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/Kludex/starlette

reference_url

https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5

reference_url

https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c

reference_url

https://github.com/Kludex/starlette/releases/tag/0.49.1

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/Kludex/starlette/releases/tag/0.49.1

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119662
reference_id	1119662
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119662

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2406929
reference_id	2406929
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2406929

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-62727

reference_id

CVE-2025-62727

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-62727

reference_url	https://github.com/advisories/GHSA-7f5h-v6xp-fcq8
reference_id	GHSA-7f5h-v6xp-fcq8
reference_type
scores
url	https://github.com/advisories/GHSA-7f5h-v6xp-fcq8

reference_url

https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8

reference_id

GHSA-7f5h-v6xp-fcq8

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8

reference_url	https://access.redhat.com/errata/RHSA-2025:22759
reference_id	RHSA-2025:22759
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:22759

reference_url	https://access.redhat.com/errata/RHSA-2025:23078
reference_id	RHSA-2025:23078
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23078

reference_url	https://access.redhat.com/errata/RHSA-2025:23079
reference_id	RHSA-2025:23079
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23079

reference_url	https://access.redhat.com/errata/RHSA-2025:23080
reference_id	RHSA-2025:23080
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23080

reference_url	https://access.redhat.com/errata/RHSA-2025:23131
reference_id	RHSA-2025:23131
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23131

reference_url	https://access.redhat.com/errata/RHSA-2025:23133
reference_id	RHSA-2025:23133
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23133

reference_url	https://access.redhat.com/errata/RHSA-2025:23531
reference_id	RHSA-2025:23531
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23531

reference_url	https://access.redhat.com/errata/RHSA-2026:22993
reference_id	RHSA-2026:22993
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22993

reference_url	https://access.redhat.com/errata/RHSA-2026:3461
reference_id	RHSA-2026:3461
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3461

reference_url	https://access.redhat.com/errata/RHSA-2026:3462
reference_id	RHSA-2026:3462
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3462

Weaknesses

cwe_id	400
name	Uncontrolled Resource Consumption
description	The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

cwe_id	407
name	Inefficient Algorithmic Complexity
description	An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability 0.5

Weighted_severity 8.0

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6wzh-4g3t-93gv

Vulnerability Instance