starlette
PyPI10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting starlettepage 1 of 1
- CVE-2023-29159HIGHCVSS 7.5EG 7.5✓ Fixed in 0.27.02023-06-01
vulnerable: 0.13.5 ... 0.26.1 (28 versions)
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
- CVE-2023-30798HIGHCVSS 7.5EG 7.5✓ Fixed in 0.25.02023-04-21
vulnerable: 0.1.0 ... 0.9.9 (128 versions)
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denia…
- CVE-2024-47874HIGHCVSS 8.7EG 8.7✓ Fixed in 0.40.02024-10-15
vulnerable: 0.1.0 ... 0.9.9 (161 versions)
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size l…
- CVE-2025-54121MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.47.22025-07-21
vulnerable: 0.1.0 ... 0.9.9 (178 versions)
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the …
- CVE-2025-62727HIGHCVSS 7.5EG 7.5✓ Fixed in 0.49.12025-10-28
vulnerable: 0.39.0 ... 0.49.0 (24 versions)
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileRespons…
- CVE-2026-48710MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.0.12026-05-26
vulnerable: 0.1.0 ... 1.0.0rc1 (191 versions)
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `re…
- CVE-2026-48817MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.1.02026-06-15
vulnerable: 0.1.0 ... 1.0.1 (192 versions)
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting…
- CVE-2026-48818HIGHCVSS 7.5EG 7.5✓ Fixed in 1.1.02026-06-15
vulnerable: 0.1.0 ... 1.0.1 (192 versions)
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection befo…
- CVE-2026-54282MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.3.02026-06-15
vulnerable: 0.1.0 ... 1.2.1 (195 versions)
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing …
- CVE-2026-54283HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.12026-06-15
vulnerable: 0.10.0 ... 1.3.0 (165 versions)
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but si…
Check whether starlette is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for starlette CVEs against the assets you own.
Start Free Scan →