Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.
Metrics
Affected Vendors & Products
References
History
Thu, 02 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Tue, 23 Jun 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 22 Jun 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Kludex
Kludex starlette |
|
| Vendors & Products |
Kludex
Kludex starlette |
Mon, 22 Jun 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1. | |
| Title | Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS | |
| Weaknesses | CWE-770 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-22T16:46:16.706Z
Updated: 2026-06-23T16:10:51.227Z
Reserved: 2026-06-12T17:46:37.292Z
Link: CVE-2026-54283
Updated: 2026-06-23T16:06:34.955Z
No data.