Impact
In Starlette, the request.form() method can accept max_fields and max_part_size limits to bound memory and processing usage when parsing submitted form data. Those limits were properly enforced for multipart/form-data but silently ignored for application/x-www-form-urlencoded requests. An attacker who can send an HTTP request with an exceptionally large number of form fields or an oversized field value can force the framework to allocate excessive memory or CPU time, potentially exhausting resources and causing the application to become unresponsive. The vulnerability directly leads to a denial‑of‑service condition and is graded as Medium‑High severity with a CVSS score of 7.5.
Affected Systems
The issue impacts the Kludex Starlette library, specifically versions from 0.4.1 through 1.3.0. Starlette 1.3.1 contains the fix and is no longer vulnerable.
Risk and Exploitability
This flaw is remotely exploitable by an unauthenticated attacker who can submit a crafted application/x-www-form-urlencoded payload. The CVSS score of 7.5 reflects the potential for resource exhaustion. EPSS for this vulnerability is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet. Nevertheless, the lack of limitations on the form body size means that any system receiving untrusted user input could be forced into denial of service if an oversized payload is sent.
OpenCVE Enrichment
Github GHSA