Source: starlette
Version: 1.1.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Kludex/starlette/pull/3329
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 0.26.1-1

Hi,

The following vulnerability was published for starlette.

CVE-2026-54283[0]:
| Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until
| 1.3.1, request.form() accepts max_fields and max_part_size to bound
| resource consumption while parsing form data. These limits are
| enforced for multipart/form-data, but silently ignored for
| application/x-www-form-urlencoded. An unauthenticated attacker can
| therefore send a urlencoded body with an arbitrarily large number of
| fields or an arbitrarily large field, even when the application
| configured limits it believed would apply. This vulnerability is
| fixed in 1.3.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54283
    https://www.cve.org/CVERecord?id=CVE-2026-54283
[1] https://github.com/Kludex/starlette/pull/3329
[2] https://github.com/Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq
[3] 
https://github.com/Kludex/starlette/commit/dba1c4babc4f99ad2622bb913d87045775dda735

Regards,
Salvatore

Reply via email to