CVE-2025-54121
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| encode | starlette | 0.47.2 |
| encode | starlette | 0.47.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In Starlette versions 0.47.1 and below, when handling multi-part form uploads with large files exceeding the default max spool size, the framework blocks the main event thread while rolling the file over to disk. This blocking prevents the application from accepting new connections. The issue arises because the UploadFile code only checks if the file is in memory, but does not properly check if additional bytes will cause a rollover to disk. This bug causes the event loop to be blocked during large file uploads.
How can this vulnerability impact me? :
This vulnerability can cause the Starlette application to become unresponsive during large file uploads, as the main event thread is blocked while rolling files over to disk. This means the application cannot accept new connections, potentially leading to denial of service or degraded performance for users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Starlette to version 0.47.2 or later, as this version contains the fix for the vulnerability that causes the main thread to block when parsing large multi-part form files.