Impact
Starlette versions 1.0.1 and earlier allow a request to be dispatched to any HTTP method without restricting the set of verbs. The framework lowercases the method name and uses getattr to look up an attribute on the HTTPEndpoint subclass. If a non‑standard HTTP method whose lowercased name matches an attribute on the endpoint reaches the handler, that attribute is executed as if it were a request handler. This flaw is a classic instance of CWE‑470, where externally controlled input determines code to execute, and also a form of CWE‑749 where the same resource (an endpoint method) can be invoked repeatedly via arbitrary verbs. The result is an attacker gaining direct entry to internal helper methods that were never intended to be exposed, bypassing the authorization logic of the public handler and potentially enabling privileged actions or information disclosure.
Affected Systems
The vulnerable product is the Kludex Starlette framework, version 1.0.1 and earlier. Applications built on Starlette or Starlette‑based frameworks such as FastAPI are also affected when they register an HTTPEndpoint subclass via Route(...) without explicitly specifying the methods= argument and when that subclass contains additional methods named after non‑standard HTTP verbs, taking a single request argument and returning a response.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate impact. The EPSS score is below 1 %, implying a very low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is over the network using an arbitrary HTTP method, which can reach the endpoint through normal request traffic. If exploited, the attacker can execute internal helper logic without going through the proper security controls. The issue was corrected in Starlette 1.1.0.
OpenCVE Enrichment
Github GHSA