CVE-2025-54121 Information

Jul 22, 2025 cve

Description

Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit designed for building async web services in Python. In versions 0.47.1 and below when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can’t accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.

Reference

https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14 https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1 https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403 https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73

CNNVD-202507-2710 (Published: 2025-07-21)

Share on:

CVE-2025-54121 Information

Description

Reference

Related CNNVD