CVE-2025-62727

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlettes FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Weakness

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Affected Software

Name	Vendor	Start Version	End Version
Red Hat Ansible Automation Platform 2.5	RedHat	ansible-automation-platform-25/lightspeed-chatbot-rhel8:sha256:5b73be2b1b296f7058abad77ce4ccc385bb3d09ce5b65af017abac5435c96969	*
Red Hat Ansible Automation Platform 2.6	RedHat	ansible-automation-platform-26/lightspeed-chatbot-rhel9:sha256:2c3e51bb9810a3e6b0edc56b8f29fc6296a6f085f398a6474444fca5f1f6938e	*
Red Hat Ansible Automation Platform 2.6	RedHat	ansible-automation-platform-26/mcp-tools-rhel9:sha256:ad2c17363f8c71c9253943fe7b884ba8f983ab61b75cf13479904acd21504ea1	*
Red Hat OpenShift AI 2.22	RedHat	rhoai/odh-feature-server-rhel9:sha256:d5d52b368050d505183452f1d8b5170c86f7473fd869a886777d3bf7e48aad76	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-built-in-detector-rhel9:sha256:4bb82618be2cbe60f5cf217f9bcfa7d6fb502dec6df1f74927599587d495a6ed	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-caikit-nlp-rhel9:sha256:dc9d108d820d3bd6aa0a2402bc9cc8e1fc1b02fb4ee44dea24f0cb6839a79d5a	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-caikit-tgis-serving-rhel9:sha256:4be08cd9e572420854f3a5cf30884219385821737ec7d867db85ac58bf952093	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-feature-server-rhel9:sha256:fc53c992d479524272b81b628f62e71236748aece361d40d1fe590a9352f2ff4	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-guardrails-detector-huggingface-runtime-rhel9:sha256:58b3f92c655e1f6eb35e06fd22e414cfd2a8505afe885d480d0d7c191702ecd5	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-kserve-agent-rhel9:sha256:7caa5349317343219fa6a504ff80b04904df78adbc60b34a3b1951e072db513a	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-kserve-controller-rhel9:sha256:c3627352344b43f17fe4ae467891b2ebd4332a642071b5ff3c0cf81d269f8280	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-kserve-router-rhel9:sha256:bdb164d90a0ad4cf3640afb518371e7b91c7682cc0b1e98e025ca1d64b927efc	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-kserve-storage-initializer-rhel9:sha256:83e3b3a60fc284de9efd3dcf90cf5f744dd24cbc0a27d0d964676d93c8637750	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-llama-stack-core-rhel9:sha256:b2f6495c186115353c9076a4c66d24909bee65363e00340774fd304846b7a546	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9:sha256:b29f9abba7ed71b98ad10158dd68c5fe87acf28509438b56f38c2662d8616d75	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9:sha256:f5373ddca575dc4bdb3ebd6910b0665f0a8c3c38454b4d0268c6a97e6f0ec81c	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9:sha256:fa5bd655d75de3ca930e8c6d79a29a53c35d1ee2a0bb03172068505646b65e13	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9:sha256:e621898c4dc4f07ad89d4eadd23c5732bc60cf6f42c8e3fd312463b232fc7740	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9:sha256:229f2f2ee3b7e63bf17bf6739f3ee69fc87d9070ace1edec5d766f758e04ade1	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:sha256:2f49b2e93ebc766c86404027e25bc433c4a093494c02f18b7c038bda85525cf0	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-vllm-cpu-rhel9:sha256:1cb87f9f25e7c216b86650f4f0d9e23e82771380b1222732256bba45bd4b132a	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-vllm-cuda-rhel9:sha256:ec8d37a58ea9117a493658bd4725e4bebbd62979b5082489747ea6ebb741d76a	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-vllm-gaudi-rhel9:sha256:2885ea112d2dfa84a2f071b498ff56f16fe5dd1d8bb80eb2fe68ff9691e3fe60	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-vllm-rocm-rhel9:sha256:8fbdbf70f34250f36868c8a3b5dabe090218b081c38c1290d7f0e515078e16d2	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9:sha256:56572f2ed89416f7e156c141435ea0dc6ef780784642d2354655847f49f2bc4c	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9:sha256:1fbcee8de39474ba1b38561605cf19136f998d58b3739291c735d3cd843c0c79	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9:sha256:af5beb652ee1f816bd0acac5b98866cb2ed45df4726bb8fe414f5f14f67cfe5e	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9:sha256:4e72a3976189c1b75260e6926eed40b1817ebbbd6f990e63874ac1452d9cb8c1	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9:sha256:346a4fdde7d4c3d3afba71760edf44730745eb8fde86ec6476a668cea607e7ba	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9:sha256:514e9edc09ab789ef1b409e1361d8be90dbfbd231eaad627e69f2301dd634934	*
Red Hat OpenShift AI 2.25	RedHat	rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9:sha256:1ecfb6fd3f5f223ff60e90e9ed45d393447f95de6b91451c1614bc69e042ec95	*
Red Hat OpenShift AI 3.2	RedHat	rhaiis/vllm-cuda-rhel9:sha256:ec961e5acfde5c1ad0a7e0e2c86a0bf56b9bc46357fa124f9db6dff1006076ab	*
Red Hat OpenShift AI 3.2	RedHat	rhaiis/vllm-rocm-rhel9:sha256:7856bdb7ae0d643a7b9362c164d4d4fe3c0c7186f5fff73a7ae9835b3df52e57	*
Red Hat OpenShift AI 3.2	RedHat	rhaiis/model-opt-cuda-rhel9:sha256:14e32e88f1b89f59ed34a6d712746b82a6a54c6ed4727784f18aeff853abbdc7	*
Starlette	Ubuntu	plucky	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-62727
CWE	https://cwe.mitre.org/data/definitions/407.html

Inefficient Algorithmic Complexity

Weakness

Affected Software

References