starlette-0.14.2-py3-none-any.whl: 7 vulnerabilities (highest severity is: 7.5) #34
Description
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (starlette version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2023-0037 |  High |
7.5 | starlette-0.14.2-py3-none-any.whl | Direct | 0.25.0 | ❌ |
| CVE-2025-62727 | High |
7.5 | starlette-0.14.2-py3-none-any.whl | Direct | starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1 | ❌ |
| CVE-2024-47874 | High |
7.5 | starlette-0.14.2-py3-none-any.whl | Direct | 0.40.0 | ❌ |
| CVE-2023-30798 | High |
7.5 | starlette-0.14.2-py3-none-any.whl | Direct | 0.25.0 | ❌ |
| CVE-2023-29159 | High |
7.5 | starlette-0.14.2-py3-none-any.whl | Direct | 0.27.0 | ❌ |
| CVE-2025-54121 |  Medium |
5.3 | starlette-0.14.2-py3-none-any.whl | Direct | 0.47.2 | ❌ |
| WS-2023-0138 |  Low |
3.7 | starlette-0.14.2-py3-none-any.whl | Direct | 0.27.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0037
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.
Publish Date: 2023-02-14
URL: WS-2023-0037
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-74m5-2c7w-9w3x
Release Date: 2023-02-14
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
CVE-2025-62727
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Publish Date: 2025-10-28
URL: CVE-2025-62727
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-7f5h-v6xp-fcq8
Release Date: 2025-10-28
Fix Resolution: starlette - 0.49.1,https://github.com/Kludex/starlette.git - 0.49.1
Step up your Open Source Security Game with Mend here
CVE-2024-47874
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
Publish Date: 2024-10-15
URL: CVE-2024-47874
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47874
Release Date: 2024-10-15
Fix Resolution: 0.40.0
Step up your Open Source Security Game with Mend here
CVE-2023-30798
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Publish Date: 2023-04-21
URL: CVE-2023-30798
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30798
Release Date: 2023-04-21
Fix Resolution: 0.25.0
Step up your Open Source Security Game with Mend here
CVE-2023-29159
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
Publish Date: 2023-06-01
URL: CVE-2023-29159
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-06-01
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here
CVE-2025-54121
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Publish Date: 2025-07-21
URL: CVE-2025-54121
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-2c2j-9gv5-cj73
Release Date: 2025-07-21
Fix Resolution: 0.47.2
Step up your Open Source Security Game with Mend here
WS-2023-0138
Vulnerable Library - starlette-0.14.2-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
starlette before 0.27.0 is vulnerable to Path Traversal. When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is als. which vulnerability.
Publish Date: 2023-05-16
URL: WS-2023-0138
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-v5gw-mw7f-84px
Release Date: 2023-05-16
Fix Resolution: 0.27.0
Step up your Open Source Security Game with Mend here