CVE-2025-62727 is an inefficient algorithmic complexity vulnerability (CWE-407) found in the Kludex Starlette ASGI framework, specifically in the FileResponse component's handling of HTTP Range headers. Starting from version 0.39.0 up to but not including 0.49.1, the Range parsing and merging logic processes crafted Range headers in quadratic time relative to the number of ranges specified. An attacker can exploit this by sending HTTP requests with specially crafted Range headers containing numerous or overlapping ranges, causing the server to consume excessive CPU resources while parsing these headers. This leads to CPU exhaustion and denial-of-service conditions on endpoints serving files, such as StaticFiles or any use of FileResponse. The vulnerability requires no authentication or user interaction and can be triggered remotely over the network. While it does not compromise data confidentiality or integrity, it severely impacts availability by degrading or halting service. The issue was publicly disclosed on October 28, 2025, with a CVSS v3.1 score of 7.5 (high severity). The vulnerability is fixed in Starlette version 0.49.1, which optimizes the Range header processing to prevent quadratic-time complexity. No known exploits are currently observed in the wild, but the ease of exploitation and impact warrant immediate attention. Organizations using vulnerable Starlette versions in production, especially those exposing file-serving endpoints, should prioritize patching and consider additional mitigations such as request rate limiting and monitoring for abnormal Range header usage.

For European organizations, this vulnerability poses a significant risk to the availability of web applications that use Starlette versions between 0.39.0 and 0.49.1 to serve static files or file responses. Public-facing services that rely on these endpoints can be targeted by attackers to cause denial-of-service, resulting in downtime, degraded user experience, and potential loss of business or reputation. Critical infrastructure or services that depend on Starlette for file delivery could face operational disruptions. Since the vulnerability does not require authentication or user interaction, it can be exploited by any remote attacker, increasing the attack surface. The CPU exhaustion caused by the quadratic-time processing can also lead to increased operational costs due to resource overuse and may trigger cascading failures in dependent systems. European organizations in sectors such as finance, government, healthcare, and e-commerce that rely on Python-based web frameworks are particularly vulnerable. Additionally, regulatory requirements around service availability and incident response in Europe heighten the importance of timely mitigation.

1. Upgrade all Starlette deployments to version 0.49.1 or later immediately to apply the fix that optimizes Range header processing and eliminates the quadratic-time complexity. 2. Implement strict rate limiting on HTTP requests targeting file-serving endpoints to reduce the risk of CPU exhaustion from malicious Range headers. 3. Monitor web server and application logs for abnormal or excessive Range header usage patterns indicative of exploitation attempts. 4. Use Web Application Firewalls (WAFs) or reverse proxies capable of detecting and blocking suspicious Range headers or malformed requests. 5. Conduct regular security audits and penetration testing focused on file-serving endpoints to identify potential exploitation vectors. 6. Consider disabling support for HTTP Range headers on endpoints where partial content delivery is not required. 7. Educate development and operations teams about this vulnerability and ensure patch management processes prioritize such high-severity issues. 8. In environments where immediate upgrade is not feasible, deploy mitigations such as CPU usage limits per request or container resource constraints to limit impact.