2 matches found
CVE-2026-54282
The CVE concerns Starlette prior to 1.3.0: HTTP request path is not validated when reconstructing request.url, allowing attacker-controlled hostname by re-parsing a non-absolute path (e.g., @google.com). The issue is fixed in 1.3.0. Remediate by upgrading to 1.3.0+; no exploitation details are pr...
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Summary In affected versions, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating scheme://hostpath and re-parsing the result, a path that does not begin with / for example @google.com moves the authority boundary...