CVE-2025-62727
Denial of Service vulnerability in starlette (PyPI)
What is CVE-2025-62727 About?
This vulnerability allows an unauthenticated attacker to trigger a quadratic-time processing in Starlette's `FileResponse` component by sending a crafted HTTP Range header. This leads to CPU exhaustion, effectively causing a denial-of-service for applications serving files. Exploitation is relatively easy, requiring only a single HTTP request with a specially formed header.
Affected Software
Technical Details
The vulnerability resides in the _parse_range_header() method of Starlette's FileResponse class, specifically in its handling of HTTP Range headers for multi-range requests. The parsing loop utilizes a regular expression (_RANGE_PATTERN) which is vulnerable to catastrophic backtracking (ReDoS), exhibiting O(n^2) complexity with crafted input. Furthermore, the subsequent merge logic for ranges also operates in quadratic time by iteratively scanning the entire result list. An attacker can craft a Range header containing numerous small, non-overlapping ranges or specific numeric substrings to maximize the number of comparisons and operations, leading to severe CPU exhaustion. This impacts any Starlette application using starlette.staticfiles.StaticFiles or directly returning FileResponse instances.
What is the Impact of CVE-2025-62727?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to service unavailability, degraded performance, and potential financial losses due to resource exhaustion.
What is the Exploitability of CVE-2025-62727?
Exploitation is straightforward and can be conducted remotely. No authentication is required to trigger the vulnerability, making it highly accessible to attackers. There are no specific privilege requirements. The attack involves sending a single HTTP request with a specially crafted Range header. The complexity lies in crafting the optimal payload to maximize CPU exhaustion. The primary risk factor that increases exploitation likelihood is any Starlette application endpoint that serves files using FileResponse or StaticFiles, as this directly exposes the vulnerable parsing logic.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| ch4n3-yoon | Link | Proof of concept of CVE-2025-62727 that can cause denial-of-service in FastAPI (based Starlette <= 0.48.0) |
What are the Available Fixes for CVE-2025-62727?
About the Fix from Resolved Security
This patch rewrites the HTTP Range header parsing in FileResponse to use a safe string-based method, replacing the previous regex-based approach. By doing so, it prevents regular expression denial-of-service (ReDoS) attacks that could be triggered by malicious, complex Range headers, thus addressing the vulnerability CVE-2025-62727. The new parser rejects malformed input efficiently, ensuring the application remains performant and does not hang or crash.
Available Upgrade Options
- starlette
- <0.49.1 → Upgrade to 0.49.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
- https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
- https://github.com/Kludex/starlette
- https://osv.dev/vulnerability/GHSA-7f5h-v6xp-fcq8
- https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
- https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
- https://github.com/Kludex/starlette/releases/tag/0.49.1
What are Similar Vulnerabilities to CVE-2025-62727?
Similar Vulnerabilities: CVE-2022-24489 , CVE-2021-3807 , CVE-2020-8022 , CVE-2019-17495 , CVE-2022-3004
