zurichat
CVE-2025-54121 (Medium) detected in starlette-0.27.0-py3-none-any.whl
CVE-2025-54121 - Medium Severity Vulnerability
Vulnerable Library - starlette-0.27.0-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/58/f8/e2cca22387965584a409795913b774235752be4176d276714e15e1a58884/starlette-0.27.0-py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- :x: starlette-0.27.0-py3-none-any.whl (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Publish Date: 2025-07-21
URL: CVE-2025-54121
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-2c2j-9gv5-cj73
Release Date: 2025-07-21
Fix Resolution: 0.47.2
Step up your Open Source Security Game with Mend here
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "Published by a pub.dev verified publisher"){kind=small}