CVE-2025-62727

EUVD-2025-36555

28.10.2025, 21:15

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 66%

Debian Releases

Debian Product

Codename

starlette

bookworm	no-dsa
bullseye	postponed
forky	0.50.0-1 fixed
sid	0.50.0-1 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

starlette

jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage

Common Weakness Enumeration

CWE-407 - Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

References

https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5

https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c

https://github.com/Kludex/starlette/releases/tag/0.49.1

https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8

https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8