CVE-2025-54121: Denial of Service vulnerability in starlette (PyPI)

What is CVE-2025-54121 About?

This Denial of Service vulnerability in `starlette` occurs when parsing multi-part forms with large files, causing the main thread to block during file rollover to disk. This can interrupt new connections, impacting the availability of the application. Exploitation involves sending large files through multi-part forms.

Affected Software

starlette <0.47.2

Technical Details

The vulnerability in starlette arises during the parsing of multi-part forms containing large files (exceeding the default max spool size). When such a file needs to be rolled over from memory to disk, the current implementation blocks the main event thread while performing the synchronous file.write operation on the disk. The _in_memory property and the write method's logic (run_in_threadpool) do not adequately check if the additional bytes will cause a rollover before calling self.file.write. If the _in_memory check returns true, it directly calls self.file.write(data) without offloading it to a thread pool, even when the file size has grown sufficiently large to require a disk write. This synchronous I/O blocks the asynchronous event loop, preventing starlette from accepting new connections or processing other requests, leading to a denial-of-service condition.

What is the Impact of CVE-2025-54121?

Successful exploitation may allow attackers to block the main event thread, preventing new connections and leading to a denial of service for legitimate users, impacting system availability.

What is the Exploitability of CVE-2025-54121?

Exploitation complexity is low, primarily requiring the ability to send HTTP requests with large multi-part form data to a starlette application. Prerequisites include the application accepting multi-part form uploads. Authentication requirements depend on whether the upload functionality is exposed to unauthenticated users; if so, remote, unauthenticated exploitation is possible. Privilege requirements are low, as the attack focuses on resource exhaustion and blocking the event loop. This is primarily a remote vulnerability. Special conditions involve the size of the uploaded files exceeding the max spool size to trigger the synchronous disk write. Risk factors increase if starlette applications handle large file uploads without proper size limits or rate limiting for untrusted users, or if deployed on systems with slow I/O where the blocking operation is more impactful.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2025-54121?

A Fix by Resolved Security Exists!

See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

This patch ensures that when an UploadFile using a SpooledTemporaryFile will "roll over" from memory to disk due to exceeding its memory limit, the actual write operation is always performed in a threadpool, preventing blocking operations in the event loop. This fixes CVE-2025-54121 by guaranteeing that potentially expensive file I/O from a rollover does not happen in the main async context, thus maintaining async safety and preventing a denial-of-service vector from unintentional synchronous disk writes.

Available Upgrade Options

starlette
- <0.47.2 → Upgrade to 0.47.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-54121?

Similar Vulnerabilities: CVE-2023-44673 , CVE-2022-45047 , CVE-2021-44757 , CVE-2020-13936 , CVE-2022-42289

CVE-2025-54121 Denial of Service vulnerability in starlette (PyPI)