CVE-2025-62727 is an algorithmic complexity vulnerability classified under CWE-407 found in the Kludex starlette framework, a lightweight ASGI toolkit widely used for building asynchronous web applications in Python. The flaw exists in the handling of HTTP Range headers within the FileResponse component, which is responsible for serving file content with support for partial content requests. Prior to version 0.49.1, the Range header parsing and merging logic exhibits quadratic time complexity when processing crafted Range headers. An unauthenticated attacker can exploit this by sending maliciously crafted HTTP Range headers that cause the server to perform excessive CPU work per request. This results in CPU exhaustion, effectively causing a denial-of-service condition on endpoints serving files, such as those using StaticFiles or any FileResponse usage. The vulnerability does not affect confidentiality or integrity but severely impacts availability. It requires no privileges or user interaction and can be triggered remotely. The issue was publicly disclosed on October 28, 2025, with a CVSS v3.1 score of 7.5, indicating a high severity level. The fix involves optimizing the Range header parsing logic to avoid quadratic-time processing, and upgrading to starlette version 0.49.1 or later mitigates the vulnerability. No known exploits are currently reported, but the vulnerability poses a significant risk to services relying on vulnerable versions of starlette for file serving.

For European organizations, this vulnerability poses a significant risk to the availability of web services that utilize the starlette framework for serving static files or file responses. Organizations running vulnerable versions (<0.49.1) of starlette in production could experience denial-of-service attacks that exhaust CPU resources, leading to service outages or degraded performance. This can affect public-facing web applications, internal portals, or APIs that serve files, potentially disrupting business operations and user access. The impact is particularly critical for sectors relying on high availability and responsiveness, such as e-commerce, government services, healthcare, and financial institutions. Additionally, the unauthenticated and remote nature of the exploit increases the attack surface, making it easier for attackers to target vulnerable endpoints without needing credentials or user interaction. While confidentiality and integrity are not directly impacted, the availability disruption can indirectly affect organizational reputation and compliance with service-level agreements (SLAs) and regulatory requirements. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

European organizations should immediately assess their use of the starlette framework, specifically checking for versions prior to 0.49.1. The primary mitigation is to upgrade all starlette instances to version 0.49.1 or later, where the vulnerability is fixed. For environments where immediate upgrade is not feasible, organizations should implement network-level protections such as rate limiting and filtering of suspicious HTTP Range headers to reduce the risk of exploitation. Web application firewalls (WAFs) can be configured to detect and block abnormal Range header patterns indicative of an attack. Monitoring CPU usage and request patterns on endpoints serving files can help detect potential exploitation attempts early. Additionally, applying strict input validation and limiting the size and number of Range requests can mitigate the risk. Organizations should also review their incident response plans to handle potential denial-of-service incidents and ensure timely patch management processes are in place to address such vulnerabilities promptly.