#1140632 starlette: CVE-2026-54282

Package:
src:starlette
Source:
src:starlette
Submitter:
Salvatore Bonaccorso
Date:
2026-06-23 19:21:04 UTC
Severity:
normal
Tags:
#1140632#5
Date:
2026-06-23 19:20:30 UTC
From:
To:
Hi,

The following vulnerability was published for starlette.

CVE-2026-54282[0]:
| Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0,
| the HTTP request path is not validated before being used to
| reconstruct request.url. Because request.url is rebuilt by
| concatenating {scheme}://{host}{path} and re-parsing the result, a
| path that does not begin with / (for example @google.com) moves the
| authority boundary during re-parsing, so request.url.hostname and
| request.url.netloc become attacker-controlled. Code that reads
| request.url.hostname (rather than the Host header or scope) can
| therefore be misled into trusting an attacker-supplied host. This
| vulnerability is fixed in 1.3.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54282
https://www.cve.org/CVERecord?id=CVE-2026-54282
[1] https://github.com/Kludex/starlette/pull/3326
[2] https://github.com/Kludex/starlette/security/advisories/GHSA-jp82-jpqv-5vv3
[3] https://github.com/Kludex/starlette/commit/167b5850e809f38b27fbfed62d58bf6442855975

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore