Description
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
Published: 2026-06-22
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can supply a request path that does not begin with a forward slash, causing Starlette to rebuild the request URL by concatenating scheme, host, and path before re‑parsing it. This sets the authority boundary incorrectly so that request.url.hostname and request.url.netloc are derived from the attacker‑supplied path rather than from the Host header. If application code trusts request.url.hostname—for authentication, routing, or security checks—it can be convinced of a forged host, enabling trust‑based attacks such as diverted request handling or credential reuse. The issue was addressed by validating the path before URL reconstruction in version 1.3.0.

Affected Systems

All releases of the Kludex Starlette framework older than version 1.3.0 are affected. Any application that imports and uses Starlette and processes client requests without patching is potentially exposed.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity, and the EPSS score is < 1%, indicating a negligible but non-zero exploitation probability, suggesting limited evidence of exploitation, as reflected in its absence from CISA KEV. However, the flaw can be triggered by a crafted HTTP request to the web application; it requires. Attackers would likely use remote HTTP traffic to send a path such as '@google.com/some/route', causing the framework to generate a URL whose hostname is attacker‑controlled. Because the vulnerability is not mitigated by network isolation, it could be effective against publicly exposed services that run older Starlette versions.

Generated by OpenCVE AI on June 29, 2026 at 14:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Starlette library to version 1.3.0 or later.
  • Replace any reliance on request.url.hostname with the Host header or the scope’s server information when determining the request’s originating host.
  • Implement middleware that validates that request paths begin with a forward slash before allowing URL reconstruction or further processing.

Generated by OpenCVE AI on June 29, 2026 at 14:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jp82-jpqv-5vv3 Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

threat_severity

Low


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex starlette
Vendors & Products Kludex
Kludex starlette

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
Title Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Weaknesses CWE-706
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Kludex Starlette
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:26:58.637Z

Reserved: 2026-06-12T17:46:37.292Z

Link: CVE-2026-54282

cve-icon Vulnrichment

Updated: 2026-06-22T17:26:53.260Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-22T16:45:01Z

Links: CVE-2026-54282 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:30:18Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input

  • CWE-706

    Use of Incorrectly-Resolved Name or Reference