cve-2025-54121
Vulnerability from cvelistv5
Published
2025-07-21 20:06
Modified
2025-07-22 19:54
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Starlette has possible denial-of-service vector when parsing large files in multipart forms
References
security-advisories@github.comhttps://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14
security-advisories@github.comhttps://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1
security-advisories@github.comhttps://github.com/encode/starlette/discussions/2927#discussioncomment-13721403
security-advisories@github.comhttps://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73
Impacted products
encodestarlette
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54121",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-22T19:54:16.504521Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-22T19:54:24.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "starlette",
          "vendor": "encode",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.47.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can\u0027t accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-21T20:06:03.818Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73"
        },
        {
          "name": "https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1"
        },
        {
          "name": "https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14"
        },
        {
          "name": "https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403"
        }
      ],
      "source": {
        "advisory": "GHSA-2c2j-9gv5-cj73",
        "discovery": "UNKNOWN"
      },
      "title": "Starlette has possible denial-of-service vector when parsing large files in multipart forms"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54121",
    "datePublished": "2025-07-21T20:06:03.818Z",
    "dateReserved": "2025-07-16T23:53:40.508Z",
    "dateUpdated": "2025-07-22T19:54:24.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54121\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-21T20:15:41.827\",\"lastModified\":\"2025-07-22T13:05:40.573\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can\u0027t accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.\"},{\"lang\":\"es\",\"value\":\"Starlette es un framework/kit de herramientas ASGI (Interfaz de Puerta de Enlace de Servidor As\u00edncrona) ligero, dise\u00f1ado para crear servicios web as\u00edncronos en Python. En las versiones 0.47.1 y anteriores, al analizar un formulario multiparte con archivos grandes (superiores al tama\u00f1o m\u00e1ximo de spool predeterminado), Starlette bloquea el hilo principal para que no transfiera el archivo al disco. Esto bloquea el hilo de eventos, lo que impide que la aplicaci\u00f3n acepte nuevas conexiones. El c\u00f3digo UploadFile presenta un peque\u00f1o error: en lugar de simplemente comprobar self._in_memory, la l\u00f3gica tambi\u00e9n deber\u00eda comprobar si los bytes adicionales provocar\u00e1n una transferencia. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.47.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.