CVE-2025-54121

EUVD-2025-22159

21.07.2025, 20:15

Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
encode	starlette	𝑥 < 0.47.2	CNA

Debian Releases

Debian Product

Codename

starlette

bookworm	vulnerable
bookworm (security)	0.26.1-1+deb12u1 fixed
bullseye	postponed
forky	1.1.0-1 fixed
sid	1.1.0-1 fixed
trixie	0.46.1-3+deb13u1 fixed
trixie (security)	0.46.1-3+deb13u2 fixed

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14

https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1

https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403

https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73