Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlettes FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
Weakness
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/vllm-cuda-rhel9:sha256:ec961e5acfde5c1ad0a7e0e2c86a0bf56b9bc46357fa124f9db6dff1006076ab | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/vllm-rocm-rhel9:sha256:7856bdb7ae0d643a7b9362c164d4d4fe3c0c7186f5fff73a7ae9835b3df52e57 | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/model-opt-cuda-rhel9:sha256:dce6b0ea03379bf06664a5200af8b5f5ae3fad13cdce6d21873843f22554800b | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/vllm-cuda-rhel9:sha256:fa844e16d06e871f1a5dbc2fd5b3882d28112eee8d6bee601d94c96295c5e24f | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/vllm-rocm-rhel9:sha256:53007894763e03f609c35c727cb738db3c2130b19fa0e1069c24240e0870fb7a | * |
| Red Hat Ansible Automation Platform 2.5 | RedHat | ansible-automation-platform-25/lightspeed-chatbot-rhel8:sha256:b46385b4a5063dd766ccffd94c27579499376179a0bae07711f404893c7b6f26 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/lightspeed-chatbot-rhel9:sha256:2b475b22f6cad9b4036c8b19a9348187525676a7cde234cff0eecd706fb1d499 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/mcp-tools-rhel9:sha256:dabcd3da4180f284828d5c2926916c4994925c353dc0c3f2b8f4ee88249be21b | * |
| Red Hat OpenShift AI 2.22 | RedHat | rhoai/odh-feature-server-rhel9:sha256:d5d52b368050d505183452f1d8b5170c86f7473fd869a886777d3bf7e48aad76 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-built-in-detector-rhel9:sha256:030379c0fb216de4f871c3fb09ab5acc4996f0be1da03fdb1b1726bb60a31554 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-caikit-nlp-rhel9:sha256:dc9d108d820d3bd6aa0a2402bc9cc8e1fc1b02fb4ee44dea24f0cb6839a79d5a | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-caikit-tgis-serving-rhel9:sha256:6cdd7fbb536a4175e8cfe3e7eb72e83740f105522fb3acc5cbec713445399d40 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-feature-server-rhel9:sha256:fc53c992d479524272b81b628f62e71236748aece361d40d1fe590a9352f2ff4 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-guardrails-detector-huggingface-runtime-rhel9:sha256:58b3f92c655e1f6eb35e06fd22e414cfd2a8505afe885d480d0d7c191702ecd5 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-kserve-agent-rhel9:sha256:fc9ab886aa4b1c0b7083585c3edfb7ad6b3c748d8880bc425e049f0bbdec847b | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-kserve-controller-rhel9:sha256:8db8a21329d717f1783a346949a1de0a79b44b7c3cfdd4ec3e34604fb21c7d6a | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-kserve-router-rhel9:sha256:ba956e911769ebac40cb58b3ca4bb95b0bb7fd1f30d7210bc75498e95592fd98 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-kserve-storage-initializer-rhel9:sha256:83e3b3a60fc284de9efd3dcf90cf5f744dd24cbc0a27d0d964676d93c8637750 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-llama-stack-core-rhel9:sha256:b2f6495c186115353c9076a4c66d24909bee65363e00340774fd304846b7a546 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9:sha256:b29f9abba7ed71b98ad10158dd68c5fe87acf28509438b56f38c2662d8616d75 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9:sha256:f5373ddca575dc4bdb3ebd6910b0665f0a8c3c38454b4d0268c6a97e6f0ec81c | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9:sha256:fa5bd655d75de3ca930e8c6d79a29a53c35d1ee2a0bb03172068505646b65e13 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9:sha256:e621898c4dc4f07ad89d4eadd23c5732bc60cf6f42c8e3fd312463b232fc7740 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9:sha256:1931d2ff282436ab32f8cb4bee1cfa6d5484fd9d62273be4ec3ae5c1f7f9dcb2 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:sha256:2f49b2e93ebc766c86404027e25bc433c4a093494c02f18b7c038bda85525cf0 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-vllm-cpu-rhel9:sha256:60db3e9cbaac0f498f1eb0de110412bb5c443a98afc0ef397a2fa997515c261d | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-vllm-cuda-rhel9:sha256:ec8d37a58ea9117a493658bd4725e4bebbd62979b5082489747ea6ebb741d76a | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-vllm-gaudi-rhel9:sha256:2885ea112d2dfa84a2f071b498ff56f16fe5dd1d8bb80eb2fe68ff9691e3fe60 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-vllm-rocm-rhel9:sha256:8fbdbf70f34250f36868c8a3b5dabe090218b081c38c1290d7f0e515078e16d2 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9:sha256:56572f2ed89416f7e156c141435ea0dc6ef780784642d2354655847f49f2bc4c | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9:sha256:1f3492cbf44d4004f3437a8bfc7dc95719041d58f65926a538085d7433b4aa5d | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9:sha256:af5beb652ee1f816bd0acac5b98866cb2ed45df4726bb8fe414f5f14f67cfe5e | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9:sha256:4e72a3976189c1b75260e6926eed40b1817ebbbd6f990e63874ac1452d9cb8c1 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9:sha256:346a4fdde7d4c3d3afba71760edf44730745eb8fde86ec6476a668cea607e7ba | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9:sha256:227ef502cc266d18541445091e618df4c25430e50698ab02c519f32bef38b0b1 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9:sha256:1ecfb6fd3f5f223ff60e90e9ed45d393447f95de6b91451c1614bc69e042ec95 | * |
| Starlette | Ubuntu | plucky | * |
References
- https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
- https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c
- https://github.com/Kludex/starlette/releases/tag/0.49.1
- https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
- https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8