CNNVD-202510-3774 Information

Oct 28, 2025 cve

CNNVD ID

CNNVD-202510-3774

CVE-2025-62727

  • CNNVD Published: 2025-10-28

Description (Chinese)

Starlette是Encode开源的一个轻量级的 ASGI 框架/工具包。非常适合用 Python 构建异步 web 服务。 Starlette 0.49.1之前版本存在安全漏洞,该漏洞源于FileResponse Range解析合并逻辑存在二次时间处理问题,可能导致CPU耗尽和拒绝服务攻击。

Description (English)

Starlette is a lightweight ASGI framework/tool kit from Encode open source. Perfectly fit to build web service with Python. Prior to Starlette 0.49.1, there was a security loophole, which stemmed from the fact that FileResponse Range had a secondary time to process the consolidation logic, which could lead to CPU depletion and denial of service attacks.

Hazard Level

Medium

Vulnerability Type

其他

Affected Vendor

Encode

Published

2025-10-28

Last Modified

2026-02-24

References

https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8 https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5 https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c https://github.com/Kludex/starlette/releases/tag/0.49.1 https://access.redhat.com/security/cve/cve-2025-62727 https://vigilance.fr/vulnerability/Starlette-overload-via-Range-Header-Merging-48660

Patch

https://github.com/Kludex/starlette/releases

Share on: