Source: starlette Version: 1.1.0-1 Severity: important Tags: security upstream Forwarded: https://github.com/Kludex/starlette/pull/3329 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 0.26.1-1
Hi, The following vulnerability was published for starlette. CVE-2026-54283[0]: | Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until | 1.3.1, request.form() accepts max_fields and max_part_size to bound | resource consumption while parsing form data. These limits are | enforced for multipart/form-data, but silently ignored for | application/x-www-form-urlencoded. An unauthenticated attacker can | therefore send a urlencoded body with an arbitrarily large number of | fields or an arbitrarily large field, even when the application | configured limits it believed would apply. This vulnerability is | fixed in 1.3.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54283 https://www.cve.org/CVERecord?id=CVE-2026-54283 [1] https://github.com/Kludex/starlette/pull/3329 [2] https://github.com/Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq [3] https://github.com/Kludex/starlette/commit/dba1c4babc4f99ad2622bb913d87045775dda735 Regards, Salvatore

