CVE-2025-62727 HIGH

CVE-2025-62727: Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse

Vendor Kludex
Product starlette
Weakness CWE-407
Published October 28, 2025
Last update November 4, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.

Key dates

02Disclosure timeline

October 28, 2025 CVE published
November 4, 2025 Record updated