CVE-2025-62727

EUVD-2025-36555
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Debian logo
Debian Releases
Debian Product
Codename
starlette
bookworm
0.26.1-1
fixed
bookworm (security)
0.26.1-1+deb12u1
fixed
bullseye
0.14.1-1
fixed
forky
1.1.0-1
fixed
sid
1.1.0-1
fixed
trixie
0.46.1-3+deb13u1
fixed
trixie (security)
0.46.1-3+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
starlette
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
resolute
needs-triage