Source: starlette
Version: 1.1.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Kludex/starlette/pull/3326
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for starlette.

CVE-2026-54282[0]:
| Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0,
| the HTTP request path is not validated before being used to
| reconstruct request.url. Because request.url is rebuilt by
| concatenating {scheme}://{host}{path} and re-parsing the result, a
| path that does not begin with / (for example @google.com) moves the
| authority boundary during re-parsing, so request.url.hostname and
| request.url.netloc become attacker-controlled. Code that reads
| request.url.hostname (rather than the Host header or scope) can
| therefore be misled into trusting an attacker-supplied host. This
| vulnerability is fixed in 1.3.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54282
    https://www.cve.org/CVERecord?id=CVE-2026-54282
[1] https://github.com/Kludex/starlette/pull/3326
[2] https://github.com/Kludex/starlette/security/advisories/GHSA-jp82-jpqv-5vv3
[3] 
https://github.com/Kludex/starlette/commit/167b5850e809f38b27fbfed62d58bf6442855975

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to