CVE-2026-48710

EUVD-2026-32016
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Affected Products (NVD)
VendorProductVersion
encodestarlette
0.8.3 ≤
𝑥
< 1.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
starlette
bookworm
vulnerable
bookworm (security)
0.26.1-1+deb12u1
fixed
bullseye
vulnerable
forky
1.1.0-1
fixed
sid
1.1.0-1
fixed
trixie
vulnerable
trixie (security)
0.46.1-3+deb13u2
fixed