Security: Kludex/starlette
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Unvalidated request path concatenated into authority poisons request.url.hostnameGHSA-jp82-jpqv-5vv3 published
Jun 11, 2026 by KludexLow -
Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`GHSA-x746-7m8f-x49c published
May 23, 2026 by KludexModerate -
request.form() limits silently ignored for application/x-www-form-urlencoded enable DoSGHSA-82w8-qh3p-5jfq published
Jun 12, 2026 by KludexHigh -
Missing Host header validation poisons request.url.path, bypassing path-based security checksGHSA-86qp-5c8j-p5mr published
May 21, 2026 by KludexModerate -
SSRF and NTLM credential theft via UNC paths in StaticFiles on WindowsGHSA-wqp7-x3pw-xc5r published
May 23, 2026 by KludexHigh -
O(n^2) DoS via Range header merging in `starlette.responses.FileResponse`GHSA-7f5h-v6xp-fcq8 published
Oct 28, 2025 by KludexHigh -
Possible denial-of-service vector when parsing large files in multipart formsGHSA-2c2j-9gv5-cj73 published
Jul 20, 2025 by KludexModerate -
Denial of service (DoS) via multipart/form-dataGHSA-f96h-pmfr-66vw published
Oct 15, 2024 by KludexHigh -
Path traversal vulnerability in StaticFilesGHSA-v5gw-mw7f-84px published
May 16, 2023 by KludexLow -
MultipartParser DOS with too many fields or filesGHSA-74m5-2c7w-9w3x published
Feb 14, 2023 by KludexModerate