Register | Log in

starlette

ASGI library ideal for building high performance asyncio services

Choose email to subscribe with

general

source: starlette (main)
version: 1.1.0-1
maintainer: Debian Python Team (DMD)
uploaders: Matheus Polkorny [DMD] – Piotr Ożarowski [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.14.1-1
oldstable: 0.26.1-1
old-sec: 0.26.1-1+deb12u1
old-p-u: 0.26.1-1+deb12u1
stable: 0.46.1-3+deb13u1
stable-sec: 0.46.1-3+deb13u2
stable-p-u: 0.46.1-3+deb13u2
testing: 1.1.0-1
unstable: 1.1.0-1

versioned links

0.14.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.26.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.26.1-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.46.1-3+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.46.1-3+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-starlette

action needed

A new upstream version is available: 1.3.1 high

A new upstream version 1.3.1 is available, you should consider packaging it.

Created: 2026-05-24 Last update: 2026-06-29 19:03

3 security issues in trixie high

There are 3 open security issues in trixie.

2 important issues:

CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
CVE-2026-54283: Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

1 issue left for the package maintainer to handle:

CVE-2026-48817: (needs triaging) Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-18 Last update: 2026-06-24 00:50

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
CVE-2026-54283: Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

Created: 2026-06-22 Last update: 2026-06-24 00:50

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
CVE-2026-54283: Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

Created: 2026-06-22 Last update: 2026-06-24 00:50

8 security issues in bullseye high

There are 8 open security issues in bullseye.

4 important issues:

CVE-2026-48710: Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
CVE-2026-48817: Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.
CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
CVE-2026-54283: Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

4 issues postponed or untriaged:

CVE-2023-29159: (needs triaging) Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
CVE-2023-30798: (needs triaging) There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
CVE-2024-47874: (postponed; to be fixed through a stable update) Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
CVE-2025-54121: (postponed; to be fixed through a stable update) Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.

Created: 2026-05-22 Last update: 2026-06-24 00:50

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2026-48817: Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.
CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
CVE-2026-54283: Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

Created: 2026-06-18 Last update: 2026-06-24 00:50

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-05-28 22:37

news

[2026-05-31] starlette 1.1.0-1 MIGRATED to testing (Debian testing watch)
[2026-05-28] Accepted starlette 0.26.1-1+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Carsten Schoenert)
[2026-05-28] Accepted starlette 0.46.1-3+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-05-28] Accepted starlette 1.1.0-1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2026-05-27] Accepted starlette 0.26.1-1+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Carsten Schoenert)
[2026-05-27] Accepted starlette 0.46.1-3+deb13u2 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-05-23] starlette 1.0.0-1 MIGRATED to testing (Debian testing watch)
[2026-03-25] Accepted starlette 1.0.0-1 (source) into unstable (Matheus Polkorny) (signed by: Piotr Ożarowski)
[2026-02-28] Accepted starlette 0.46.1-3+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Carsten Schoenert)
[2026-01-04] starlette 0.50.0-1 MIGRATED to testing (Debian testing watch)
[2026-01-01] Accepted starlette 0.50.0-1 (source) into unstable (Carsten Schoenert)
[2025-07-30] starlette 0.46.1-3 MIGRATED to testing (Debian testing watch)
[2025-07-28] Accepted starlette 0.46.1-3 (source) into unstable (Piotr Ożarowski)
[2025-03-14] starlette 0.46.1-2 MIGRATED to testing (Debian testing watch)
[2025-03-11] Accepted starlette 0.46.1-2 (source) into unstable (Santiago Vila)
[2025-03-09] Accepted starlette 0.46.1-1 (source) into unstable (Alexandre Detiste)
[2024-11-30] starlette 0.41.3-2 MIGRATED to testing (Debian testing watch)
[2024-11-27] Accepted starlette 0.41.3-2 (source) into unstable (Colin Watson)
[2024-11-24] starlette 0.41.3-1 MIGRATED to testing (Debian testing watch)
[2024-11-21] Accepted starlette 0.41.3-1 (source) into unstable (Piotr Ożarowski)
[2024-11-01] starlette 0.41.2-1 MIGRATED to testing (Debian testing watch)
[2024-10-29] Accepted starlette 0.41.2-1 (source) into unstable (Piotr Ożarowski)
[2024-10-20] starlette 0.41.0-1 MIGRATED to testing (Debian testing watch)
[2024-10-18] Accepted starlette 0.41.0-1 (source) into unstable (Piotr Ożarowski)
[2024-10-04] starlette 0.39.2-1 MIGRATED to testing (Debian testing watch)
[2024-10-01] Accepted starlette 0.39.2-1 (source) into unstable (Piotr Ożarowski)
[2024-09-30] starlette 0.39.1-1 MIGRATED to testing (Debian testing watch)
[2024-09-27] Accepted starlette 0.39.1-1 (source) into unstable (Piotr Ożarowski)
[2024-08-16] starlette 0.38.2-1 MIGRATED to testing (Debian testing watch)
[2024-08-14] Accepted starlette 0.38.2-1 (source) into unstable (Piotr Ożarowski)

1
2

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.1.0-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing