CVE-2025-54121 is a medium-severity vulnerability affecting the Starlette framework, a lightweight ASGI toolkit used for building asynchronous web services in Python. The vulnerability exists in versions 0.47.1 and below. It arises from improper resource allocation and throttling when handling multi-part form uploads containing large files exceeding the default maximum spool size. Specifically, when a large file upload triggers a rollover from in-memory buffering to disk storage, the main event thread is blocked during this rollover process. This blocking prevents the application from accepting new incoming connections, effectively causing a denial-of-service (DoS) condition. The root cause is a minor bug in the UploadFile component where the logic only checks if the file is currently in memory (self._in_memory) but fails to consider if the incoming bytes will cause a rollover to disk. This leads to unbounded blocking of the event loop thread during large file uploads. The vulnerability is tracked under CWE-770 (Allocation of Resources Without Limits or Throttling) and has a CVSS 3.1 base score of 5.3 (medium severity), reflecting its network attack vector, low complexity, no privileges or user interaction required, and impact limited to availability. The issue was fixed in Starlette version 0.47.2 by correcting the rollover check logic to prevent blocking the event thread. No known exploits are reported in the wild as of the publication date. However, the vulnerability poses a risk to applications relying on Starlette for asynchronous web services that accept file uploads, as attackers could intentionally upload large files to cause service disruption by exhausting the event loop's ability to handle new requests.

For European organizations using Starlette versions prior to 0.47.2, this vulnerability could lead to denial-of-service conditions in web services that accept file uploads, particularly those handling large files. The blocking of the main event thread means that legitimate users may experience service outages or degraded performance, impacting business continuity and user experience. This is especially critical for sectors relying on real-time or high-availability asynchronous services, such as financial services, healthcare, e-government portals, and online retail platforms prevalent across Europe. While the vulnerability does not compromise confidentiality or integrity, the availability impact could disrupt critical operations and customer-facing services. Additionally, the ease of exploitation (no authentication or user interaction required) increases the risk of automated or opportunistic attacks targeting vulnerable endpoints. Organizations with public-facing APIs or web applications using Starlette for file uploads are most at risk. The lack of known exploits suggests that proactive patching can effectively mitigate the threat before widespread exploitation occurs.

European organizations should immediately assess their use of the Starlette framework and identify any deployments running versions below 0.47.2. The primary mitigation is to upgrade Starlette to version 0.47.2 or later, where the bug in the UploadFile rollover logic is fixed. In addition to patching, organizations should implement the following practical controls: 1) Enforce strict limits on maximum file upload sizes at the application or web server level to prevent excessively large uploads that trigger rollover blocking. 2) Implement asynchronous or background processing for large file uploads to avoid blocking the main event loop. 3) Monitor application performance metrics and event loop responsiveness to detect abnormal blocking or slowdowns indicative of exploitation attempts. 4) Use web application firewalls (WAFs) or API gateways to throttle or block suspicious large multipart/form-data requests. 5) Conduct regular dependency audits and integrate automated vulnerability scanning in CI/CD pipelines to detect outdated Starlette versions. These measures collectively reduce the risk of denial-of-service attacks exploiting this vulnerability and improve overall resilience of asynchronous Python web services.