GHSA-86QP-5C8J-P5MR Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Summary In affected versions, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the pa...

CVE-2026-48710

Starlette (Python ASGI framework) contains a Host header validation issue in versions before 1.0.1. The HTTP Host header was not validated when reconstructing request.url, while routing relies on the raw path and request.url, allowing a malformed Host header to make request.url.path differ from t...

Starlette 环境问题漏洞

Starlette is a lightweight ASGI framework/toolkit developed by Encode. It’s ideal for building asynchronous web services using Python. Versions of Starlette prior to 1.0.1 contained an environmental issue vulnerability. This vulnerability stemmed from the lack of validation of the HTTP Host reque...

BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks

Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actu...

Starlette 安全漏洞

Starlette is a lightweight ASGI framework/toolkit open-sourced by Encode. It is ideal for building asynchronous web services in Python. Starlette 0.49.1 before the version of a security vulnerability , the vulnerability stems from the FileResponse Range parsing merge logic has a secondary time...

EUVD-2023-0244

Malicious code in bioql PyPI...

EUVD-2025-22159

Malicious code in bioql PyPI...

CVE-2025-54121 Starlette has possible denial-of-service vector when parsing large files in multipart forms

Starlette is a lightweight ASGI Asynchronous Server Gateway Interface framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files greater than the default max spool size starlette will block the main thread t...

CVE-2025-54121 Starlette has possible denial-of-service vector when parsing large files in multipart forms

Starlette is a lightweight ASGI Asynchronous Server Gateway Interface framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files greater than the default max spool size starlette will block the main thread t...

TencentOS Server 4: python-starlette (TSSA-2024:1053)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:1053 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

Linux Distros Unpatched Vulnerability : CVE-2024-47874

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Starlette is an Asynchronous Server Gateway Interface ASGI framework/toolkit. Prior to version 0.40.0, Starlette treats multipart/form-data parts without a...

The vulnerability of the ASGI framework for web development in Starlette, related to the allocation of unlimited memory, allows attackers to trigger a service failure.

The vulnerability of the ASGI framework for web development in Starlette is related to the allocation of unlimited memory. Exploiting this vulnerability allows a remote attacker to cause service interruptions...

CVE-2024-47874

Starlette is an Asynchronous Server Gateway Interface ASGI framework/toolkit. Prior to version 0.40.0, Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form...

DEBIAN-CVE-2024-47874

Starlette is an Asynchronous Server Gateway Interface ASGI framework/toolkit. Prior to version 0.40.0, Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form...

CVE-2024-47874

CVE-2024-47874 (Starlette / FastAPI) : Prior to v0.40.0, Starlette buffers multipart/form-data parts without a filename as text with no size limit, enabling requests that create very large form fields. This can cause excessive memory allocations, high memory usage, and potential OOM conditions, p...

Starlette 安全漏洞

Starlette is a lightweight ASGI framework/toolkit open-sourced by Encode. It is ideal for building asynchronous web services in Python. Starlette 0.40.0 version of the previous security vulnerability , the vulnerability stems from not targeting users...

SUSE CVE-2023-30798

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service...

SUSE CVE-2023-29159

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette...

PYSEC-2023-48

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service...

UBUNTU-CVE-2023-30798

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service...