CVE-2025-54121: CWE-770: Allocation of Resources Without Limits or Throttling in encode starlette
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
CVE-2025-54121: CWE-770: Allocation of Resources Without Limits or Throttling in encode starlette
Description
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-07-16T23:53:40.508Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 687ea00aa83201eaac13ae53
Added to database: 7/21/2025, 8:16:10 PM
Last updated: 7/21/2025, 8:16:10 PM
Views: 1
Related Threats
CVE-2025-7938: Authorization Bypass in jerryshensjf JPACookieShop 蛋糕商城JPA版
MediumCVE-2025-54071: CWE-434: Unrestricted Upload of File with Dangerous Type in rommapp romm
CriticalCVE-2025-51868: n/a
UnknownCVE-2025-7231: CWE-787: Out-of-bounds Write in INVT VT-Designer
HighCVE-2025-7230: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') in INVT VT-Designer
HighActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.