CVE-2025-54121— Starlette has possible denial-of-service vector when parsing large files in multipart forms

Starlette has possible denial-of-service vector when parsing large files in multipart forms

Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

不加限制或调节的资源分配

Starlette 安全漏洞

Starlette是Encode开源的一个轻量级的 ASGI 框架/工具包。非常适合用 Python 构建异步 web 服务。 Starlette 0.47.1及之前版本存在安全漏洞，该漏洞源于对多部分表单处理不当，可能导致拒绝服务攻击。

N/A

N/A