CVE-2025-62727

7.5 HIGH
Published: October 28, 2025 Modified: November 04, 2025
View on NVD

Description

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
Source: security-advisories@github.com
https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c
Source: security-advisories@github.com
https://github.com/Kludex/starlette/releases/tag/0.49.1
Source: security-advisories@github.com
https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
Source: security-advisories@github.com
https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.6%
68th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-407

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A