CVE-2025-62727— Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-62727
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse
Source: NVD (National Vulnerability Database)
Vulnerability Description
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
算法复杂性
Source: NVD (National Vulnerability Database)
Vulnerability Title
Starlette 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Starlette是Encode开源的一个轻量级的 ASGI 框架/工具包。非常适合用 Python 构建异步 web 服务。 Starlette 0.49.1之前版本存在安全漏洞,该漏洞源于FileResponse Range解析合并逻辑存在二次时间处理问题,可能导致CPU耗尽和拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-62727
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Proof of concept of CVE-2025-62727 that can cause denial-of-service in FastAPI (based Starlette <= 0.48.0) | https://github.com/ch4n3-yoon/CVE-2025-62727-Demo | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-62727
请登录查看更多情报信息。
- Merge commit from fork · Kludex/starlette@4ea6e22 · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2025-62727
IV. Related Vulnerabilities
Same vendor: Kludex
- CVE-2026-42561
Python-Multipart: Denial of Service via unbounded multipart - CVE-2026-40347
Python-Multipart affected by Denial of Service via large mul - CVE-2026-24486
Python-Multipart has Arbitrary File Write via Non-Default Co - CVE-2024-53981
python-multipart has a Denial of service (DoS) via deformati - CVE-2024-24762
python-multipart vulnerable to content-type header Regular e
Same weakness: CWE-407
- CVE-2026-45186
libexpat 安全漏洞 - CVE-2026-42245
net-imap: Quadratic complexity when reading response literal - CVE-2026-43967
Quadratic fragment-name uniqueness check causes denial of se - CVE-2026-40476
graphql-php: Denial of Service via quadratic complexity in O - CVE-2026-35599
Vikunja has an Algorithmic Complexity DoS in Repeating Task
V. Comments for CVE-2025-62727
No comments yet