CVE-2026-54283
Undergoing Analysis Undergoing Analysis - In Progress
Starlette Form Parsing Resource Consumption Vulnerability

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54283
EUVD
EUVD-2026-38319
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kludex starlette From 0.4.1 (inc) to 1.3.1 (exc)
kludex starlette 1.3.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54283 is a Denial of Service (DoS) vulnerability in the Starlette framework versions from 0.4.1 up to but not including 1.3.1. The issue occurs in the handling of form data when using request.form() with application/x-www-form-urlencoded requests. Although limits on the number of fields (max_fields) and the size of each field (max_part_size) are enforced for multipart/form-data requests, these limits are silently ignored for urlencoded form data.

This allows an unauthenticated attacker to send a request with an extremely large number of fields or a very large single field, bypassing the intended resource consumption limits. The attack can either consume excessive CPU by sending around one million fields or cause unbounded memory allocation by sending a single large field (e.g., 50MB). Both attack methods can make the service unresponsive.

Compliance Impact

This vulnerability primarily impacts the availability of services by allowing denial of service (DoS) attacks through resource exhaustion. It does not directly affect confidentiality or integrity of data.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, availability is a key component of many security frameworks and regulations. A denial of service could potentially disrupt service availability, which may indirectly affect compliance if critical systems become unavailable.

However, since the vulnerability does not involve unauthorized access to or disclosure of personal data, its impact on compliance with data protection regulations like GDPR or HIPAA is limited to availability concerns.

Impact Analysis

This vulnerability primarily impacts the availability of applications using the affected Starlette versions. An attacker can exploit it to cause a Denial of Service by either blocking the event loop with a very high number of form fields or exhausting memory by sending a very large field value.

As a result, the application may become unresponsive to legitimate requests, leading to downtime or degraded service performance. While some mitigation is possible with reverse proxies limiting request body size, this does not fully prevent event loop blocking caused by excessive field counts.

Detection Guidance

This vulnerability can be detected by monitoring for unusually large or excessive numbers of application/x-www-form-urlencoded POST requests to your Starlette-based application. Specifically, look for requests containing an extremely high number of fields (e.g., around 1,000,000) or very large single field values (e.g., tens of megabytes).

You can use network monitoring tools or web server logs to identify such suspicious requests. For example, using command-line tools like curl or wget to simulate or detect large form submissions, or using grep and awk on logs to find requests with large content-length headers or excessive field counts.

  • Use curl to send a large number of fields and observe application behavior: curl -X POST -d "field1=value1&field2=value2&...&field1000000=value" http://yourserver/path
  • Check web server logs for large Content-Length headers or repeated field patterns: grep 'Content-Length' /var/log/nginx/access.log | sort -nr | head
  • Use network packet capture tools (e.g., tcpdump or Wireshark) to analyze POST request payload sizes and field counts.
Mitigation Strategies

The primary immediate mitigation is to upgrade the Starlette framework to version 1.3.1 or later, where the vulnerability is fixed by enforcing limits on application/x-www-form-urlencoded requests.

If upgrading immediately is not possible, you can mitigate the memory exhaustion risk by placing a reverse proxy in front of your application that enforces a request body size limit.

However, note that a reverse proxy alone does not prevent event loop blocking caused by a high number of fields, so upgrading remains the most effective mitigation.

  • Upgrade Starlette to version 1.3.1 or later.
  • Configure a reverse proxy (e.g., Nginx) to limit request body size to mitigate large payload attacks.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54283. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart