VulnerableCode Package Details - pkg:pypi/starlette@0.5.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-2c5q-buqw-u7ex Aliases: CVE-2026-48710 GHSA-86qp-5c8j-p5mr PYSEC-2026-161 X41-2026-002	BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path.	1.0.1 Affected by 0 other vulnerabilities.
VCID-71x5-qbjg-ukfq Aliases: CVE-2024-47874 GHSA-f96h-pmfr-66vw	Starlette Denial of service (DoS) via multipart/form-data Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.	0.40.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-8crr-rfdt-p7bq Aliases: CVE-2023-30798 GHSA-74m5-2c7w-9w3x GMS-2023-353 PYSEC-2023-48	There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.	0.25.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gb68-ds24-f7h9 Aliases: GHSA-93gm-qmq6-w238 GMS-2024-92	Starlette Content-Type Header ReDoS ### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100% You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server. If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.	0.36.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-z5sa-2796-bbef Aliases: GHSA-3qj8-93xh-pwh2	Duplicate Advisory: Starlette allows an unauthenticated and remote attacker to specify any number of form fields or files ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-74m5-2c7w-9w3x. This link is maintained to preserve external references. ## Original Description There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.	0.25.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-z97b-rhv4-17c5 Aliases: CVE-2025-54121 GHSA-2c2j-9gv5-cj73	Starlette has possible denial-of-service vector when parsing large files in multipart forms When parsing a multi-part form with large files (greater than the [default max spool size](https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/formparsers.py#L126)) `starlette` will block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.	0.47.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-2c5q-buqw-u7ex
Aliases:
CVE-2026-48710
GHSA-86qp-5c8j-p5mr
PYSEC-2026-161
X41-2026-002

BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path.

1.0.1
Affected by 0 other vulnerabilities.

VCID-71x5-qbjg-ukfq
Aliases:
CVE-2024-47874
GHSA-f96h-pmfr-66vw

Starlette Denial of service (DoS) via multipart/form-data Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.

0.40.0
Affected by 3 other vulnerabilities.

VCID-8crr-rfdt-p7bq
Aliases:
CVE-2023-30798
GHSA-74m5-2c7w-9w3x
GMS-2023-353
PYSEC-2023-48

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

0.25.0
Affected by 5 other vulnerabilities.

VCID-gb68-ds24-f7h9
Aliases:
GHSA-93gm-qmq6-w238
GMS-2024-92

Starlette Content-Type Header ReDoS ### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100% You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server. If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.

0.36.2
Affected by 3 other vulnerabilities.

VCID-z5sa-2796-bbef
Aliases:
GHSA-3qj8-93xh-pwh2

Duplicate Advisory: Starlette allows an unauthenticated and remote attacker to specify any number of form fields or files ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-74m5-2c7w-9w3x. This link is maintained to preserve external references. ## Original Description There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

0.25.0
Affected by 5 other vulnerabilities.

VCID-z97b-rhv4-17c5
Aliases:
CVE-2025-54121
GHSA-2c2j-9gv5-cj73

Starlette has possible denial-of-service vector when parsing large files in multipart forms When parsing a multi-part form with large files (greater than the [default max spool size](https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/formparsers.py#L126)) `starlette` will block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.

0.47.2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:55:50.552750+00:00	GitLab Importer	Affected by	VCID-z97b-rhv4-17c5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/starlette/CVE-2025-54121.yml	38.6.0
2026-06-06T05:27:53.597361+00:00	GitLab Importer	Affected by	VCID-71x5-qbjg-ukfq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/starlette/CVE-2024-47874.yml	38.6.0
2026-06-06T04:35:09.712438+00:00	GitLab Importer	Affected by	VCID-gb68-ds24-f7h9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/starlette/GMS-2024-92.yml	38.6.0
2026-06-06T03:41:41.276527+00:00	GitLab Importer	Affected by	VCID-z5sa-2796-bbef	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/starlette/GHSA-3qj8-93xh-pwh2.yml	38.6.0
2026-06-06T03:28:24.053785+00:00	GitLab Importer	Affected by	VCID-8crr-rfdt-p7bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/starlette/CVE-2023-30798.yml	38.6.0
2026-06-05T17:05:32.847849+00:00	PyPI Importer	Affected by	VCID-2c5q-buqw-u7ex	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T17:02:37.120702+00:00	PyPI Importer	Affected by	VCID-8crr-rfdt-p7bq	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-02T04:25:19.683636+00:00	Pypa Importer	Affected by	VCID-2c5q-buqw-u7ex	https://github.com/pypa/advisory-database/blob/main/vulns/starlette/PYSEC-2026-161.yaml	38.6.0
2026-06-02T04:18:37.864638+00:00	Pypa Importer	Affected by	VCID-8crr-rfdt-p7bq	https://github.com/pypa/advisory-database/blob/main/vulns/starlette/PYSEC-2023-48.yaml	38.6.0