Description
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.
Published: 2026-06-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Starlette, the request.form() method can accept max_fields and max_part_size limits to bound memory and processing usage when parsing submitted form data. Those limits were properly enforced for multipart/form-data but silently ignored for application/x-www-form-urlencoded requests. An attacker who can send an HTTP request with an exceptionally large number of form fields or an oversized field value can force the framework to allocate excessive memory or CPU time, potentially exhausting resources and causing the application to become unresponsive. The vulnerability directly leads to a denial‑of‑service condition and is graded as Medium‑High severity with a CVSS score of 7.5.

Affected Systems

The issue impacts the Kludex Starlette library, specifically versions from 0.4.1 through 1.3.0. Starlette 1.3.1 contains the fix and is no longer vulnerable.

Risk and Exploitability

This flaw is remotely exploitable by an unauthenticated attacker who can submit a crafted application/x-www-form-urlencoded payload. The CVSS score of 7.5 reflects the potential for resource exhaustion. EPSS for this vulnerability is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet. Nevertheless, the lack of limitations on the form body size means that any system receiving untrusted user input could be forced into denial of service if an oversized payload is sent.

Generated by OpenCVE AI on June 22, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Starlette 1.3.1 or later to apply the fix
  • Verify that application configuration sets max_fields and max_part_size and that the framework applies those limits to all POST data types
  • Add front‑end throttling or request size restrictions in the web server or API gateway to block overlarge form submissions before they reach the application

Generated by OpenCVE AI on June 22, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-82w8-qh3p-5jfq Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS
History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex starlette
Vendors & Products Kludex
Kludex starlette

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.
Title Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Kludex Starlette
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:10:51.227Z

Reserved: 2026-06-12T17:46:37.292Z

Link: CVE-2026-54283

cve-icon Vulnrichment

Updated: 2026-06-23T16:06:34.955Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-22T16:46:16Z

Links: CVE-2026-54283 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T20:15:04Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling