Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlettes FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/vllm-cuda-rhel9:sha256:ec961e5acfde5c1ad0a7e0e2c86a0bf56b9bc46357fa124f9db6dff1006076ab | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/vllm-rocm-rhel9:sha256:7856bdb7ae0d643a7b9362c164d4d4fe3c0c7186f5fff73a7ae9835b3df52e57 | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/model-opt-cuda-rhel9:sha256:14e32e88f1b89f59ed34a6d712746b82a6a54c6ed4727784f18aeff853abbdc7 | * |
| Red Hat Ansible Automation Platform 2.5 | RedHat | ansible-automation-platform-25/lightspeed-chatbot-rhel8:sha256:05fc1db58b19d1f19feb366d937677e5d0ec184827c1a9b7ddf3532a65c56657 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/lightspeed-chatbot-rhel9:sha256:2b475b22f6cad9b4036c8b19a9348187525676a7cde234cff0eecd706fb1d499 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/mcp-tools-rhel9:sha256:dabcd3da4180f284828d5c2926916c4994925c353dc0c3f2b8f4ee88249be21b | * |
| Red Hat OpenShift AI 2.22 | RedHat | rhoai/odh-feature-server-rhel9:sha256:d5d52b368050d505183452f1d8b5170c86f7473fd869a886777d3bf7e48aad76 | * |