CVE-2026-54283

NameCVE-2026-54283
DescriptionStarlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
starlette (PTS)bullseye0.14.1-1vulnerable
bookworm0.26.1-1vulnerable
bookworm (security)0.26.1-1+deb12u1vulnerable
trixie0.46.1-3+deb13u1vulnerable
trixie (security)0.46.1-3+deb13u2vulnerable
forky, sid1.1.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
starlettesource(unstable)(unfixed)

Notes

https://github.com/Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq
https://github.com/Kludex/starlette/pull/3329
Fixed by: https://github.com/Kludex/starlette/commit/dba1c4babc4f99ad2622bb913d87045775dda735 (1.3.1)
Search for package or bug name: Reporting problems