This PR contains the following updates:
GitHub Vulnerability Alerts
Summary
Starlette treatsmultipart/form-data parts without afilename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.
PoC
fromstarlette.applicationsimportStarlettefromstarlette.routingimportRouteasyncdefpoc(request):asyncwithrequest.form():passapp=Starlette(routes=[Route('/',poc,methods=["POST"]),])curl http://localhost:8000 -F'big=</dev/urandom'
Impact
This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests.
Summary
When parsing a multi-part form with large files (greater than thedefault max spool size)starlette will block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.
Details
Please see this discussion for details:https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403. In summary the following UploadFile code (copied fromhere) has a minor bug. Instead of just checking forself._in_memory we should also check if the additional bytes will cause a rollover.
@​propertydef_in_memory(self)->bool:# check for SpooledTemporaryFile._rolledrolled_to_disk=getattr(self.file,"_rolled",True)returnnotrolled_to_diskasyncdefwrite(self,data:bytes)->None:ifself.sizeisnotNone:self.size+=len(data)ifself._in_memory:self.file.write(data)else:awaitrun_in_threadpool(self.file.write,data)
I have already created a PR which fixes the problem:https://github.com/encode/starlette/pull/2962
PoC
See the discussionhere for steps on how to reproduce.
Impact
To be honest, very low and not many users will be impacted. Parsing large forms is already CPU intensive so the additional IO block doesn't slow downstarlette that much on systems with modern HDDs/SSDs. If someone is running on tape they might see a greater impact.
Release Notes
Kludex/starlette (starlette)
Compare Source
Fixed
- Make
UploadFile check for future rollover#2962.
New Contributors
Full Changelog:Kludex/starlette@0.47.1...0.47.2
v0.47.1: Version 0.47.1
Compare Source
Fixed
- Use
Self inTestClient.__enter__#2951 - Allow async exception handlers to type-check#2949
Full Changelog:Kludex/starlette@0.47.0...0.47.1
v0.47.0: Version 0.47.0
Compare Source
Added
- Add support for ASGI
pathsend extension#2671. - Add
partitioned attribute toResponse.set_cookie#2501.
Changed
- Change
methods parameter type fromlist[str] toCollection[str]#2903. - Replace
import typing byfrom typing import ... in the whole codebase#2867.
Fixed
- Mark
ExceptionMiddleware.http_exception as async to prevent thread creation#2922.
New Contributors
Full Changelog:Kludex/starlette@0.46.2...0.47.0
v0.46.2: Version 0.46.2
Compare Source
What's Changed
New Contributors
Full Changelog:Kludex/starlette@0.46.1...0.46.2
v0.46.1: Version 0.46.1
Compare Source
Fixed
- Allow relative directory path when
follow_symlinks=True#2896.
Full Changelog:Kludex/starlette@0.46.0...0.46.1
v0.46.0: Version 0.46.0
Compare Source
Added
GZipMiddleware: Make sureVary header is always added if a response can be compressed#2865.
Fixed
- Raise exception from background task on BaseHTTPMiddleware#2812.
GZipMiddleware: Don't compress on server sent events#2871.
Changed
MultiPartParser: Renamemax_file_size tospool_max_size#2780.
Deprecated
- Add deprecated warning to
TestClient(timeout=...)#2840.
New Contributors
Full Changelog:Kludex/starlette@0.45.3...0.46.0
v0.45.3: Version 0.45.3
Compare Source
Fixed
Full Changelog:Kludex/starlette@0.45.2...0.45.3
v0.45.2: Version 0.45.2
Compare Source
Fixed
- Make
create_memory_object_stream compatible with old anyio versions once again, and bump anyio minimum version to 3.6.2 by@graingert in#2833.
Full Changelog:Kludex/starlette@0.45.1...0.45.2
v0.45.1: Version 0.45.1
Compare Source
Fixed
Refactor
Full Changelog:Kludex/starlette@0.45.0...0.45.1
v0.45.0: Version 0.45.0
Compare Source
Removed
Full Changelog:Kludex/starlette@0.44.0...0.45.0
v0.44.0: Version 0.44.0
Compare Source
Added
New Contributors
Full Changelog:Kludex/starlette@0.43.0...0.44.0
v0.43.0: Version 0.43.0
Compare Source
Removed
- Remove deprecated
allow_redirects argument fromTestClient#2808.
Added
- Make UUID path parameter conversion more flexible#2806.
New Contributors
Full Changelog:Kludex/starlette@0.42.0...0.43.0
v0.42.0: Version 0.42.0
Compare Source
Added
- Raise
ClientDisconnect onStreamingResponse#2732.
Fixed
- Use ETag from headers when parsing If-Range in FileResponse#2761.
- Follow directory symlinks in
StaticFiles whenfollow_symlinks=True#2711. - Bump minimum
python-multipart version to0.0.180ba8395. - Bump minimum
httpx version to0.27.0#2773.
New Contributors
Full Changelog:Kludex/starlette@0.41.3...0.42.0
v0.41.3: Version 0.41.3
Compare Source
Fixed
- Exclude the query parameters from the
scope[raw_path] on theTestClient#2716. - Replace
dict byMapping onHTTPException.headers#2749. - Correct middleware argument passing and improve factory pattern#2752.
Full Changelog:Kludex/starlette@0.41.2...0.41.3
v0.41.2: Version 0.41.2
Compare Source
What's Changed
Full Changelog:Kludex/starlette@0.41.1...0.41.2
v0.41.1: Version 0.41.1
Compare Source
What's Changed
Full Changelog:Kludex/starlette@0.41.0...0.41.1
v0.41.0: Version 0.41.0
Compare Source
Added
- Allow to raise
HTTPException beforewebsocket.accept()encode#2725
v0.40.0: Version 0.40.0
Compare Source
This release fixes a Denial of service (DoS) viamultipart/form-data requests.
You can view the full security advisory:
GHSA-f96h-pmfr-66vw
Fixed
- Add
max_part_size toMultiPartParser to limit the size of parts inmultipart/form-data
requestsfd038f3.
v0.39.2: Version 0.39.2
Compare Source
Fixed
- Allow use of
request.url_for when only "app" scope is available#2672. - Fix internal type hints to support
python-multipart==0.0.12#2708.
Full Changelog:Kludex/starlette@0.39.1...0.39.2
v0.39.1: Version 0.39.1
Compare Source
Fixed
- Avoid regex re-compilation in
responses.py andschemas.py#2700. - Improve performance of
get_route_path by removing regular expression usage#2701. - Consider
FileResponse.chunk_size when handling multiple ranges#2703. - Use
token_hex for generating multipart boundary strings#2702.
Full Changelog:Kludex/starlette@0.39.0...0.39.1
v0.39.0: Version 0.39.0
Compare Source
Added
- Add support for HTTP Range to
FileResponse#2697
Full Changelog:Kludex/starlette@0.38.6...0.39.0
v0.38.6: Version 0.38.6
Compare Source
Fixed
- Close unclosed
MemoryObjectReceiveStream inTestClient#2693.
Full Changelog:Kludex/starlette@0.38.5...0.38.6
v0.38.5: Version 0.38.5
Compare Source
Fixed
- Schedule
BackgroundTasks from withinBaseHTTPMiddleware#2688.
This behavior was removed in 0.38.3, and is now restored.
Full Changelog:Kludex/starlette@0.38.4...0.38.5
v0.38.4: Version 0.38.4
Compare Source
Fixed
- Ensure accurate
root_path removal inget_route_path function#2600
Full Changelog:Kludex/starlette@0.38.3...0.38.4
v0.38.3: Version 0.38.3
Compare Source
Added
- Support for Python 3.13#2662.
Fixed
- Don't poll for disconnects in
BaseHTTPMiddleware viaStreamingResponse#2620.
Full Changelog:Kludex/starlette@0.38.2...0.38.3
v0.38.2: Version 0.38.2
Compare Source
Fixed
- Fix
routing.get_name() not to assume all routines have__name__#2648
Full Changelog:Kludex/starlette@0.38.1...0.38.2
v0.38.1: Version 0.38.1
Compare Source
Removed
- Revert "Add support for ASGI pathsend extension"#2649.
Full Changelog:Kludex/starlette@0.38.0...0.38.1
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.
Uh oh!
There was an error while loading.Please reload this page.
This PR contains the following updates:
^0.38.0->^0.47.0GitHub Vulnerability Alerts
CVE-2024-47874
Summary
Starlette treats
multipart/form-dataparts without afilenameas text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.PoC
curl http://localhost:8000 -F'big=</dev/urandom'Impact
This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests.
CVE-2025-54121
Summary
When parsing a multi-part form with large files (greater than thedefault max spool size)
starlettewill block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.Details
Please see this discussion for details:https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403. In summary the following UploadFile code (copied fromhere) has a minor bug. Instead of just checking for
self._in_memorywe should also check if the additional bytes will cause a rollover.I have already created a PR which fixes the problem:https://github.com/encode/starlette/pull/2962
PoC
See the discussionhere for steps on how to reproduce.
Impact
To be honest, very low and not many users will be impacted. Parsing large forms is already CPU intensive so the additional IO block doesn't slow down
starlettethat much on systems with modern HDDs/SSDs. If someone is running on tape they might see a greater impact.Release Notes
Kludex/starlette (starlette)
v0.47.2Compare Source
Fixed
UploadFilecheck for future rollover#2962.New Contributors
Full Changelog:Kludex/starlette@0.47.1...0.47.2
v0.47.1: Version 0.47.1Compare Source
Fixed
SelfinTestClient.__enter__#2951Full Changelog:Kludex/starlette@0.47.0...0.47.1
v0.47.0: Version 0.47.0Compare Source
Added
pathsendextension#2671.partitionedattribute toResponse.set_cookie#2501.Changed
methodsparameter type fromlist[str]toCollection[str]#2903.import typingbyfrom typing import ...in the whole codebase#2867.Fixed
ExceptionMiddleware.http_exceptionas async to prevent thread creation#2922.New Contributors
Full Changelog:Kludex/starlette@0.46.2...0.47.0
v0.46.2: Version 0.46.2Compare Source
What's Changed
TemplateResponseby@alex-oleshkevich inencode#2909BaseHTTPMiddlewareby@ramannanda9 inencode#2911New Contributors
Full Changelog:Kludex/starlette@0.46.1...0.46.2
v0.46.1: Version 0.46.1Compare Source
Fixed
follow_symlinks=True#2896.Full Changelog:Kludex/starlette@0.46.0...0.46.1
v0.46.0: Version 0.46.0Compare Source
Added
GZipMiddleware: Make sureVaryheader is always added if a response can be compressed#2865.Fixed
GZipMiddleware: Don't compress on server sent events#2871.Changed
MultiPartParser: Renamemax_file_sizetospool_max_size#2780.Deprecated
TestClient(timeout=...)#2840.New Contributors
Full Changelog:Kludex/starlette@0.45.3...0.46.0
v0.45.3: Version 0.45.3Compare Source
Fixed
lookup_pathon commonpath comparison by@Kludex inencode#2851Full Changelog:Kludex/starlette@0.45.2...0.45.3
v0.45.2: Version 0.45.2Compare Source
Fixed
create_memory_object_streamcompatible with old anyio versions once again, and bump anyio minimum version to 3.6.2 by@graingert in#2833.Full Changelog:Kludex/starlette@0.45.1...0.45.2
v0.45.1: Version 0.45.1Compare Source
Fixed
MemoryObjectReceiveStreamupon exception inBaseHTTPMiddlewarechildren by@Kludex inencode#2813Refactor
Full Changelog:Kludex/starlette@0.45.0...0.45.1
v0.45.0: Version 0.45.0Compare Source
Removed
ExceptionMiddlewareimport proxy fromstarlette.exceptionsmodule by@Kludex inencode#2826WS_1004_NO_STATUS_RCVDandWS_1005_ABNORMAL_CLOSUREby@Kludex inencode#2827Full Changelog:Kludex/starlette@0.44.0...0.45.0
v0.44.0: Version 0.44.0Compare Source
Added
max_part_sizeparameter toRequest.form()by@iudeen inencode#2815clientparameter toTestClientby@iudeen inencode#2810New Contributors
Full Changelog:Kludex/starlette@0.43.0...0.44.0
v0.43.0: Version 0.43.0Compare Source
Removed
allow_redirectsargument fromTestClient#2808.Added
New Contributors
Full Changelog:Kludex/starlette@0.42.0...0.43.0
v0.42.0: Version 0.42.0Compare Source
Added
ClientDisconnectonStreamingResponse#2732.Fixed
StaticFileswhenfollow_symlinks=True#2711.python-multipartversion to0.0.180ba8395.httpxversion to0.27.0#2773.New Contributors
Full Changelog:Kludex/starlette@0.41.3...0.42.0
v0.41.3: Version 0.41.3Compare Source
Fixed
scope[raw_path]on theTestClient#2716.dictbyMappingonHTTPException.headers#2749.Full Changelog:Kludex/starlette@0.41.2...0.41.3
v0.41.2: Version 0.41.2Compare Source
What's Changed
python-multipartby@Kludex inencode#2737Full Changelog:Kludex/starlette@0.41.1...0.41.2
v0.41.1: Version 0.41.1Compare Source
What's Changed
python-multipartimport topython_multipartby@Kludex inencode#2733python-multipartversion to 0.0.13 by@Kludex inencode#2734Full Changelog:Kludex/starlette@0.41.0...0.41.1
v0.41.0: Version 0.41.0Compare Source
Added
HTTPExceptionbeforewebsocket.accept()encode#2725v0.40.0: Version 0.40.0Compare Source
This release fixes a Denial of service (DoS) via
multipart/form-datarequests.You can view the full security advisory:
GHSA-f96h-pmfr-66vw
Fixed
max_part_sizetoMultiPartParserto limit the size of parts inmultipart/form-datarequestsfd038f3.
v0.39.2: Version 0.39.2Compare Source
Fixed
request.url_forwhen only "app" scope is available#2672.python-multipart==0.0.12#2708.Full Changelog:Kludex/starlette@0.39.1...0.39.2
v0.39.1: Version 0.39.1Compare Source
Fixed
responses.pyandschemas.py#2700.get_route_pathby removing regular expression usage#2701.FileResponse.chunk_sizewhen handling multiple ranges#2703.token_hexfor generating multipart boundary strings#2702.Full Changelog:Kludex/starlette@0.39.0...0.39.1
v0.39.0: Version 0.39.0Compare Source
Added
FileResponse#2697Full Changelog:Kludex/starlette@0.38.6...0.39.0
v0.38.6: Version 0.38.6Compare Source
Fixed
MemoryObjectReceiveStreaminTestClient#2693.Full Changelog:Kludex/starlette@0.38.5...0.38.6
v0.38.5: Version 0.38.5Compare Source
Fixed
BackgroundTasksfrom withinBaseHTTPMiddleware#2688.This behavior was removed in 0.38.3, and is now restored.
Full Changelog:Kludex/starlette@0.38.4...0.38.5
v0.38.4: Version 0.38.4Compare Source
Fixed
root_pathremoval inget_route_pathfunction#2600Full Changelog:Kludex/starlette@0.38.3...0.38.4
v0.38.3: Version 0.38.3Compare Source
Added
Fixed
BaseHTTPMiddlewareviaStreamingResponse#2620.Full Changelog:Kludex/starlette@0.38.2...0.38.3
v0.38.2: Version 0.38.2Compare Source
Fixed
routing.get_name()not to assume all routines have__name__#2648Full Changelog:Kludex/starlette@0.38.1...0.38.2
v0.38.1: Version 0.38.1Compare Source
Removed
Full Changelog:Kludex/starlette@0.38.0...0.38.1
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.