Python Starlette Security Vulnerabilities: CVE-2025-54121 & CVE-2025-62727

CVE-2025-62727: FileResponse ReDoS (High Severity)

CVSS Score: 7.5 (HIGH) • Affected Versions: 0.39.0 to 0.49.0 • Fixed: 0.49.1

This vulnerability affects any endpoint serving files through FileResponse or StaticFiles. An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's range parsing logic.

Technical Cause

The root issue lies in the _parse_range_header method, which used a regular expression vulnerable to catastrophic backtracking: re.compile(r"(\d*)-(\d*)"). When processing maliciously crafted Range headers with many substrings, the regex engine enters quadratic-time complexity, consuming excessive CPU.

Impact

Any application using starlette.responses.FileResponse or starlette.staticfiles.StaticFiles is vulnerable. A single malicious request can exhaust CPU resources, causing denial-of-service. No authentication is required to exploit this vulnerability.

The Fix

Version 0.49.1 replaces the vulnerable regex with a new _parse_ranges method that manually parses headers using string splitting, avoiding ReDoS entirely.

CVE-2025-54121: Multipart Form DoS (Medium Severity)

CVSS Score: 5.3 (MEDIUM) • Affected Versions: ≤ 0.47.1 • Fixed: 0.47.2

This vulnerability affects applications that handle multipart form uploads with large files. When a file exceeds the default spool size, Starlette blocks the main event loop while writing to disk.

Technical Cause

The issue exists in the UploadFile.write() method. It only checks whether data is currently in memory but fails to account for incoming data that will trigger a disk rollover. When rollover occurs, it executes synchronously on the async event loop, blocking all new connections.

Impact

Applications accepting file uploads become temporarily unable to handle new connections during large file processing. The real-world impact is moderate—systems with modern SSDs experience minimal additional latency, but older storage can see significant delays.

Am I Affected?

Check your Starlette version:

pip show starlette | grep Version
# or
pip freeze | grep starlette

You're vulnerable if:

• Starlette < 0.49.1 and you serve files via StaticFiles or FileResponse (CVE-2025-62727)
• Starlette < 0.47.2 and you accept file uploads via multipart forms (CVE-2025-54121)

FastAPI users: FastAPI depends on Starlette. Check your transitive dependencies with pip show fastapi and verify which Starlette version is installed.

How to Fix

Upgrade to Starlette 0.49.1 or later to patch both vulnerabilities:

# Direct upgrade
pip install --upgrade starlette>=0.49.1

# Or update requirements.txt
starlette>=0.49.1

# For FastAPI projects
pip install --upgrade fastapi starlette>=0.49.1

After upgrading, verify the installation:

python -c "import starlette; print(starlette.__version__)"
# Should output: 0.49.1 or higher

Run your test suite to ensure the upgrade doesn't introduce breaking changes in your application.

Prevention Best Practices

These vulnerabilities highlight common patterns in web framework security:

• Avoid regex for untrusted input: The ReDoS vulnerability came from using regex to parse HTTP headers. String manipulation methods like split() are safer alternatives.
• Audit async blocking patterns: In async frameworks, any synchronous I/O operation blocks the event loop. Review file operations, database calls, and external API requests.
• Monitor dependencies: Use tools like pip-audit, Snyk, or Dependabot to catch CVEs in your dependency tree automatically.
• Set up security scanning: Integrate vulnerability scanning into your CI/CD pipeline to catch issues before deployment.

For teams handling sensitive workloads, consider adding rate limiting to file-serving endpoints as defense-in-depth, even after patching.