starlette - Debian Package Tracker

general

source: starlette (main)
version: 0.46.1-3
maintainer: Piotr Ożarowski (DMD)
uploaders: Debian Python Team [DMD]
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.14.1-1
oldstable: 0.26.1-1
stable: 0.46.1-3
testing: 0.46.1-3
unstable: 0.46.1-3

versioned links

0.14.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.26.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.46.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-starlette

action needed

A new upstream version is available: 0.48.0 high

A new upstream version 0.48.0 is available, you should consider packaging it.

Created: 2025-04-17 Last update: 2025-10-31 17:01

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-62727: Starlette is a lightweight ASGI framework/toolkit. Prior to 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Created: 2025-10-29 Last update: 2025-10-30 06:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-62727: Starlette is a lightweight ASGI framework/toolkit. Prior to 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Created: 2025-10-29 Last update: 2025-10-30 06:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-62727: Starlette is a lightweight ASGI framework/toolkit. Prior to 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Created: 2025-10-29 Last update: 2025-10-30 06:30

5 security issues in bullseye high

There are 5 open security issues in bullseye.

1 important issue:

CVE-2025-62727: Starlette is a lightweight ASGI framework/toolkit. Prior to 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

4 issues postponed or untriaged:

CVE-2023-29159: (needs triaging) Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
CVE-2023-30798: (needs triaging) There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
CVE-2024-47874: (postponed; to be fixed through a stable update) Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
CVE-2025-54121: (postponed; to be fixed through a stable update) Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.

Created: 2025-10-29 Last update: 2025-10-30 06:30

4 security issues in bookworm high

There are 4 open security issues in bookworm.

1 important issue:

CVE-2025-62727: Starlette is a lightweight ASGI framework/toolkit. Prior to 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

3 issues left for the package maintainer to handle:

CVE-2023-29159: (needs triaging) Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
CVE-2024-47874: (needs triaging) Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
CVE-2025-54121: (needs triaging) Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-01-23 Last update: 2025-10-30 06:30

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit a6c184cb0f39188a33354dc4db97e9b7fbe0107f
Author: Piotr Ożarowski <piotr@debian.org>
Date:   Mon Jul 28 21:01:10 2025 +0200

    fix changelog indentation

Created: 2025-07-28 Last update: 2025-10-31 05:46

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-11-28 Last update: 2025-09-11 00:04

debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 0.46.1-3 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-03-12 Last update: 2025-07-28 20:35

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-08-07 17:31

news

[rss feed]

[2025-07-30] starlette 0.46.1-3 MIGRATED to testing (Debian testing watch)
[2025-07-28] Accepted starlette 0.46.1-3 (source) into unstable (Piotr Ożarowski)
[2025-03-14] starlette 0.46.1-2 MIGRATED to testing (Debian testing watch)
[2025-03-11] Accepted starlette 0.46.1-2 (source) into unstable (Santiago Vila)
[2025-03-09] Accepted starlette 0.46.1-1 (source) into unstable (Alexandre Detiste)
[2024-11-30] starlette 0.41.3-2 MIGRATED to testing (Debian testing watch)
[2024-11-27] Accepted starlette 0.41.3-2 (source) into unstable (Colin Watson)
[2024-11-24] starlette 0.41.3-1 MIGRATED to testing (Debian testing watch)
[2024-11-21] Accepted starlette 0.41.3-1 (source) into unstable (Piotr Ożarowski)
[2024-11-01] starlette 0.41.2-1 MIGRATED to testing (Debian testing watch)
[2024-10-29] Accepted starlette 0.41.2-1 (source) into unstable (Piotr Ożarowski)
[2024-10-20] starlette 0.41.0-1 MIGRATED to testing (Debian testing watch)
[2024-10-18] Accepted starlette 0.41.0-1 (source) into unstable (Piotr Ożarowski)
[2024-10-04] starlette 0.39.2-1 MIGRATED to testing (Debian testing watch)
[2024-10-01] Accepted starlette 0.39.2-1 (source) into unstable (Piotr Ożarowski)
[2024-09-30] starlette 0.39.1-1 MIGRATED to testing (Debian testing watch)
[2024-09-27] Accepted starlette 0.39.1-1 (source) into unstable (Piotr Ożarowski)
[2024-08-16] starlette 0.38.2-1 MIGRATED to testing (Debian testing watch)
[2024-08-14] Accepted starlette 0.38.2-1 (source) into unstable (Piotr Ożarowski)
[2024-04-23] starlette 0.37.2-1 MIGRATED to testing (Debian testing watch)
[2024-04-17] Accepted starlette 0.37.2-1 (source) into unstable (Piotr Ożarowski)
[2024-01-03] starlette 0.31.1-1 MIGRATED to testing (Debian testing watch)
[2023-12-12] starlette REMOVED from testing (Debian testing watch)
[2023-09-22] starlette 0.31.1-1 MIGRATED to testing (Debian testing watch)
[2023-09-20] Accepted starlette 0.31.1-1 (source) into unstable (Piotr Ożarowski)
[2023-08-04] starlette 0.30.0-1 MIGRATED to testing (Debian testing watch)
[2023-07-21] Accepted starlette 0.30.0-1 (source) into unstable (Piotr Ożarowski)
[2023-06-22] Accepted starlette 0.28.0-1 (source) into unstable (Piotr Ożarowski)
[2023-04-23] starlette 0.26.1-1 MIGRATED to testing (Debian testing watch)
[2023-04-03] Accepted starlette 0.26.1-1 (source) into unstable (Piotr Ożarowski)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 4)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.46.1-3
1 bug