CVE-2025-54121 – A denial-of-service vulnerability in Starlette'... (How to Fix)

📋 TL;DR

A denial-of-service vulnerability in Starlette's file upload handling allows attackers to block the main event loop by sending large multipart form files. This affects all Python web applications using Starlette 0.47.1 and below with file upload functionality. The vulnerability prevents the application from accepting new connections while processing oversized files.

💻 Affected Systems

Products:

Starlette

Versions: 0.47.1 and below

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Starlette's multipart form parsing with UploadFile functionality. Applications without file upload endpoints are not vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability for all users during file upload processing, potentially leading to extended service disruption.

🟠

Likely Case

Temporary denial of service affecting new connections while large files are being processed, degrading application performance.

🟢

If Mitigated

Minimal impact with proper rate limiting, file size restrictions, and monitoring in place.

🌐 Internet-Facing: HIGH - Publicly accessible applications with file upload endpoints are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Internal applications with file upload functionality remain vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with large multipart form files. No authentication needed if upload endpoint is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.47.2

Vendor Advisory: https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73

Restart Required: Yes

Instructions:

1. Update Starlette: pip install --upgrade starlette==0.47.2
2. Restart your application server
3. Verify the version with: python -c "import starlette; print(starlette.__version__)"

🔧 Temporary Workarounds

Limit maximum file size

all

Configure application to reject files larger than a safe threshold before Starlette processes them

# In your FastAPI/Starlette app:
# app = FastAPI()
# @app.post('/upload')
# async def upload(file: UploadFile = File(...)):
#     if file.size > MAX_SIZE:
#         raise HTTPException(status_code=413, detail='File too large')

Implement request timeout

all

Add middleware to timeout long-running requests before they block the event loop

# Using asyncio timeout:
import asyncio
from starlette.middleware.base import BaseHTTPMiddleware

class TimeoutMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        try:
            return await asyncio.wait_for(call_next(request), timeout=30.0)
        except asyncio.TimeoutError:
            return Response('Request timeout', status_code=408)

🧯 If You Can't Patch

Implement reverse proxy rate limiting (e.g., nginx limit_req) to restrict upload request frequency
Deploy Web Application Firewall (WAF) rules to detect and block large file upload attempts

🔍 How to Verify

Check if Vulnerable:

Check Starlette version: python -c "import starlette; print('Vulnerable' if starlette.__version__ <= '0.47.1' else 'Patched')"

Check Version:

python -c "import starlette; print(f'Starlette version: {starlette.__version__}')"

Verify Fix Applied:

Confirm version is 0.47.2 or higher: python -c "import starlette; print(starlette.__version__)"

📡 Detection & Monitoring

Log Indicators:

Unusually long request processing times for POST requests to upload endpoints
Increased 408 timeout errors
Application restart events following file uploads

Network Indicators:

Large HTTP POST requests (> default spool size) to upload endpoints
Multiple concurrent large file upload requests

SIEM Query:

source='application.logs' AND (message LIKE '%upload%' AND duration_ms > 30000) OR (status_code=408 AND uri_path LIKE '%upload%')

📊 Metadata

CVE ID: CVE-2025-54121

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-770

EPSS Score: 0.1% exploit probability (28.5th percentile)

Published: July 21, 2025

Last Updated: July 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54121, you might also want to check these: