#1140631 starlette: CVE-2026-54283

Package:
src:starlette
Source:
src:starlette
Submitter:
Salvatore Bonaccorso
Date:
2026-06-23 19:21:02 UTC
Severity:
normal
Tags:
#1140631#5
Date:
2026-06-23 19:19:36 UTC
From:
To:
Hi,

The following vulnerability was published for starlette.

CVE-2026-54283[0]:
| Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until
| 1.3.1, request.form() accepts max_fields and max_part_size to bound
| resource consumption while parsing form data. These limits are
| enforced for multipart/form-data, but silently ignored for
| application/x-www-form-urlencoded. An unauthenticated attacker can
| therefore send a urlencoded body with an arbitrarily large number of
| fields or an arbitrarily large field, even when the application
| configured limits it believed would apply. This vulnerability is
| fixed in 1.3.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54283
https://www.cve.org/CVERecord?id=CVE-2026-54283
[1] https://github.com/Kludex/starlette/pull/3329
[2] https://github.com/Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq
[3] https://github.com/Kludex/starlette/commit/dba1c4babc4f99ad2622bb913d87045775dda735

Regards,
Salvatore