Source: starlette Version: 0.46.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for starlette. CVE-2025-54121[0]: | Starlette is a lightweight ASGI (Asynchronous Server Gateway | Interface) framework/toolkit, designed for building async web | services in Python. In versions 0.47.1 and below, when parsing a | multi-part form with large files (greater than the default max spool | size) starlette will block the main thread to roll the file over to | disk. This blocks the event thread which means the application can't | accept new connections. The UploadFile code has a minor bug where | instead of just checking for self._in_memory, the logic should also | check if the additional bytes will cause a rollover. The | vulnerability is fixed in version 0.47.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-54121 https://www.cve.org/CVERecord?id=CVE-2025-54121 [1] https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73 [2] https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1 [3] https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
