Skip to content

starlette-0.49.3-py3-none-any.whl: 5 vulnerabilities (highest severity is: 7.5) #123

Description

@mend-bolt-for-github
Vulnerable Library - starlette-0.49.3-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (starlette version) Remediation Possible**
CVE-2026-54283 High 7.5 starlette-0.49.3-py3-none-any.whl Direct 1.3.1
CVE-2026-48818 High 7.5 starlette-0.49.3-py3-none-any.whl Direct https://github.com/encode/starlette.git - 1.1.0,starlette - 1.1.0
CVE-2026-48710 Medium 6.5 starlette-0.49.3-py3-none-any.whl Direct 1.0.1
CVE-2026-48817 Medium 5.3 starlette-0.49.3-py3-none-any.whl Direct 1.1.0
CVE-2026-54282 Low 3.7 starlette-0.49.3-py3-none-any.whl Direct 1.3.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-54283

Vulnerable Library - starlette-0.49.3-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl

Dependency Hierarchy:

  • starlette-0.49.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

Publish Date: 2026-06-22

URL: CVE-2026-54283

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-82w8-qh3p-5jfq

Release Date: 2026-06-15

Fix Resolution: 1.3.1

Step up your Open Source Security Game with Mend here

CVE-2026-48818

Vulnerable Library - starlette-0.49.3-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl

Dependency Hierarchy:

  • starlette-0.49.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-06-17

URL: CVE-2026-48818

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-15

Fix Resolution: https://github.com/encode/starlette.git - 1.1.0,starlette - 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2026-48710

Vulnerable Library - starlette-0.49.3-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl

Dependency Hierarchy:

  • starlette-0.49.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.

Publish Date: 2026-05-26

URL: CVE-2026-48710

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-86qp-5c8j-p5mr

Release Date: 2026-05-26

Fix Resolution: 1.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-48817

Vulnerable Library - starlette-0.49.3-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl

Dependency Hierarchy:

  • starlette-0.49.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.

Publish Date: 2026-06-17

URL: CVE-2026-48817

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x746-7m8f-x49c

Release Date: 2026-06-15

Fix Resolution: 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2026-54282

Vulnerable Library - starlette-0.49.3-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl

Path to dependency file: /ai/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl

Dependency Hierarchy:

  • starlette-0.49.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @⁠google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.

Publish Date: 2026-06-22

URL: CVE-2026-54282

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jp82-jpqv-5vv3

Release Date: 2026-06-15

Fix Resolution: 1.3.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions