CVE Catalog

CVE-2026-54283

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

Vulnerability in Starlette framework from version 0.4.1 to 1.3.1 causes max_fields and max_part_size limits for request.form() to be enforced only for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can send a request body with an arbitrarily large number of fields or an arbitrarily large field, bypassing configured limits.

Risk Assessment

The risk is a potential DoS (Denial of Service) attack by exhausting server resources (memory, CPU) through sending a malicious urlencoded request with excessive fields or oversized field.

Recommendation

Immediately update Starlette to version 1.3.1 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS