CVE-2025-62727

HIGH

Starlette <0.49.1 - DoS

Title source: llm

Description

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Exploits (1)

github WORKING POC 1 stars

by ch4n3-yoon · pythonpoc

https://github.com/ch4n3-yoon/CVE-2025-62727-Demo

View Code ZIP pw:eip

References (4)

[Patch] https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5

[Patch] https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8

[Release Notes] https://github.com/Kludex/starlette/releases/tag/0.49.1

Scores

CVSS v3 7.5

EPSS 0.0040

EPSS Percentile 60.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-407

Status published

Products (2)

Kludex/starlette >= 0.39.0, < 0.49.1

pypi/starlette 0.39.0 - 0.49.1PyPI

Published Oct 28, 2025

Tracked Since Feb 18, 2026