Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (starlette version) |
Remediation Possible** |
| WS-2023-0037 |
 High |
7.5 |
starlette-0.21.0-py3-none-any.whl |
Direct |
0.25.0 |
❌ |
| CVE-2025-62727 |
High |
7.5 |
starlette-0.21.0-py3-none-any.whl |
Direct |
starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1 |
❌ |
| CVE-2024-47874 |
High |
7.5 |
starlette-0.21.0-py3-none-any.whl |
Direct |
0.40.0 |
❌ |
| CVE-2023-30798 |
High |
7.5 |
starlette-0.21.0-py3-none-any.whl |
Direct |
0.25.0 |
❌ |
| CVE-2023-29159 |
High |
7.5 |
starlette-0.21.0-py3-none-any.whl |
Direct |
0.27.0 |
❌ |
| CVE-2026-48710 |
 Medium |
6.5 |
starlette-0.21.0-py3-none-any.whl |
Direct |
1.0.1 |
❌ |
| CVE-2025-54121 |
Medium |
5.3 |
starlette-0.21.0-py3-none-any.whl |
Direct |
0.47.2 |
❌ |
| WS-2023-0138 |
 Low |
3.7 |
starlette-0.21.0-py3-none-any.whl |
Direct |
0.27.0 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0037
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.21.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.
Publish Date: 2026-05-15
URL: WS-2023-0037
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-74m5-2c7w-9w3x
Release Date: 2023-02-14
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
CVE-2025-62727
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.21.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Publish Date: 2025-10-28
URL: CVE-2025-62727
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7f5h-v6xp-fcq8
Release Date: 2025-10-28
Fix Resolution: starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1
Step up your Open Source Security Game with Mend here
CVE-2024-47874
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.21.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
Publish Date: 2024-10-15
URL: CVE-2024-47874
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47874
Release Date: 2024-10-15
Fix Resolution: 0.40.0
Step up your Open Source Security Game with Mend here
CVE-2023-30798
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.21.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Publish Date: 2023-04-21
URL: CVE-2023-30798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30798
Release Date: 2023-04-21
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
CVE-2023-29159
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.21.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
Publish Date: 2023-06-01
URL: CVE-2023-29159
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-06-01
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here
CVE-2026-48710
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.21.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.
Publish Date: 2026-05-26
URL: CVE-2026-48710
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-86qp-5c8j-p5mr
Release Date: 2026-05-26
Fix Resolution: 1.0.1
Step up your Open Source Security Game with Mend here
CVE-2025-54121
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.21.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Publish Date: 2025-07-21
URL: CVE-2025-54121
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2c2j-9gv5-cj73
Release Date: 2025-07-21
Fix Resolution: 0.47.2
Step up your Open Source Security Game with Mend here
WS-2023-0138
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.21.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
starlette before 0.27.0 is vulnerable to Path Traversal. When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is als. which vulnerability.
Publish Date: 2026-05-15
URL: WS-2023-0138
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-05-16
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.
Publish Date: 2026-05-15
URL: WS-2023-0037
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-74m5-2c7w-9w3x
Release Date: 2023-02-14
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Publish Date: 2025-10-28
URL: CVE-2025-62727
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7f5h-v6xp-fcq8
Release Date: 2025-10-28
Fix Resolution: starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats
multipart/form-dataparts without afilenameas text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.Publish Date: 2024-10-15
URL: CVE-2024-47874
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47874
Release Date: 2024-10-15
Fix Resolution: 0.40.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Publish Date: 2023-04-21
URL: CVE-2023-30798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30798
Release Date: 2023-04-21
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
Publish Date: 2023-06-01
URL: CVE-2023-29159
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-06-01
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.
Publish Date: 2026-05-26
URL: CVE-2026-48710
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-86qp-5c8j-p5mr
Release Date: 2026-05-26
Fix Resolution: 1.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Publish Date: 2025-07-21
URL: CVE-2025-54121
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2c2j-9gv5-cj73
Release Date: 2025-07-21
Fix Resolution: 0.47.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.21.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/94/a3/777d1749aa0db3f9da12a8cc5f89fe01c95548909d012f0e419299c6d8a3/starlette-0.21.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: c2f71f9de1c5a160aa4855528bce741034c691e7
Found in base branch: main
Vulnerability Details
starlette before 0.27.0 is vulnerable to Path Traversal. When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is als. which vulnerability.
Publish Date: 2026-05-15
URL: WS-2023-0138
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-05-16
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here