CVE-2025-62727

HIGH

Starlette 0.39.0-0.49.0 - Unauthenticated Denial of Service via HTTP Range Header

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-62727. PoCs published by ch4n3-yoon.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2025-62727, demonstrating a CPU-heavy Range header parsing vulnerability in Starlette's FileResponse. The exploit sends crafted Range headers to trigger excessive regex processing, leading to a denial-of-service condition.

Description

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Exploits (1)

github WORKING POC 1 stars

by ch4n3-yoon · pythonpoc

https://github.com/ch4n3-yoon/CVE-2025-62727-Demo

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2025-62727, demonstrating a CPU-heavy Range header parsing vulnerability in Starlette's FileResponse. The exploit sends crafted Range headers to trigger excessive regex processing, leading to a denial-of-service condition.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Starlette (used in FastAPI applications)

No auth needed

Prerequisites: A running FastAPI/Starlette application serving static files via StaticFiles

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8

Patch x_refsource_misc

https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/Kludex/starlette/releases/tag/0.49.1

Scores

CVSS v3 7.5

EPSS 0.0007

EPSS Percentile 21.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-407

Status published

Products (2)

Kludex/starlette >= 0.39.0, < 0.49.1

pypi/starlette 0.39.0 - 0.49.1PyPI

Published Oct 28, 2025

Tracked Since Feb 18, 2026