CVE-2026-54283 | Starlette is a lightweight ASGI framework/toolkit. From 0.4.… | CVSS 7.5 HIGH

Description

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

Metadata

CVE ID: CVE-2026-54283
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:46 UTC
Published: 2026-06-22 16:46 UTC
Last updated: 2026-06-22 16:46 UTC
Primary CWE: CWE-770
CWE-770: Allocation of Resources Without Limits or Throttlin…
Vendor / Product: Kludex / starlette
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Kludex	starlette	—	>= 0.4.1, < 1.3.1

Weakness (CWE)

CWE	Source	Description
CWE-770	cna	CWE-770: Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (1)

https://github.com/Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq https://github.com/Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq