VulnerableCode Package Details - pkg:pypi/starlette@0.36.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-2c5q-buqw-u7ex Aliases: CVE-2026-48710 GHSA-86qp-5c8j-p5mr PYSEC-2026-161 X41-2026-002	BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path.	1.0.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2c5q-buqw-u7ex
Aliases:
CVE-2026-48710
GHSA-86qp-5c8j-p5mr
PYSEC-2026-161
X41-2026-002

BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path.

1.0.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gb68-ds24-f7h9	Starlette Content-Type Header ReDoS ### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100% You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server. If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.	GHSA-93gm-qmq6-w238 GMS-2024-92

Vulnerability

Summary

Aliases

VCID-gb68-ds24-f7h9

Starlette Content-Type Header ReDoS ### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100% You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server. If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.

GHSA-93gm-qmq6-w238
GMS-2024-92

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:59.741812+00:00	GitLab Importer	Fixing	VCID-gb68-ds24-f7h9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/starlette/GMS-2024-92.yml	38.6.0
2026-06-02T04:25:20.113911+00:00	Pypa Importer	Affected by	VCID-2c5q-buqw-u7ex	https://github.com/pypa/advisory-database/blob/main/vulns/starlette/PYSEC-2026-161.yaml	38.6.0

2026-06-02T04:46:59.741812+00:00

GitLab Importer

Fixing

VCID-gb68-ds24-f7h9

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/starlette/GMS-2024-92.yml

38.6.0

2026-06-02T04:25:20.113911+00:00

Pypa Importer

Affected by

VCID-2c5q-buqw-u7ex

https://github.com/pypa/advisory-database/blob/main/vulns/starlette/PYSEC-2026-161.yaml

38.6.0

Next non-vulnerable version	1.0.1
Latest non-vulnerable version	1.0.1
Risk