Starlette (Python) – Support, CVEs & Health

GHSA-2c2j-9gv5-cj73 CVSS_V3

Starlette has possible denial-of-service vector when parsing large files in multipart forms

Published: 2025-07-21 Fixed in: 0.47.2

GHSA-74m5-2c7w-9w3x CVSS_V3

MultipartParser denial of service with too many fields or files

Published: 2023-02-14 Fixed in: 0.25.0

GHSA-7f5h-v6xp-fcq8 CVSS_V3

Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``

Published: 2025-10-28 Fixed in: 0.49.1

GHSA-82w8-qh3p-5jfq CVSS_V3

Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS

Published: 2026-06-15 Fixed in: 1.3.1

GHSA-86qp-5c8j-p5mr CVSS_V3

Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Published: 2026-06-04 Fixed in: 1.0.1

GHSA-f96h-pmfr-66vw CVSS_V3

Starlette Denial of service (DoS) via multipart/form-data

Published: 2024-10-15 Fixed in: 0.40.0

GHSA-jp82-jpqv-5vv3 CVSS_V3

Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname

Published: 2026-06-15 Fixed in: 1.3.0

GHSA-v5gw-mw7f-84px CVSS_V3

Starlette has Path Traversal vulnerability in StaticFiles

Published: 2023-05-17 Fixed in: 0.27.0

GHSA-wqp7-x3pw-xc5r CVSS_V3

Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows

Published: 2026-06-15 Fixed in: 1.1.0

GHSA-x746-7m8f-x49c CVSS_V3

Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`

Published: 2026-06-15 Fixed in: 1.1.0

Starlette