CVE-2025-62727

Name of the Vulnerable Software and Affected Versions Starlette versions 0.39.0 through 0.49.0

Description Starlette is a lightweight ASGI framework/toolkit. An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial-of-service for endpoints serving files, such as StaticFiles or any use of FileResponse. The parsing loop of FileResponse. parse range header() uses a regular expression that is vulnerable to denial of service due to its O(n^2) complexity. A crafted Range header can maximize this complexity. The merge loop processes each input range by scanning the entire result list, resulting in quadratic behavior with many disjoint ranges. This affects any Starlette application that uses starlette.staticfiles.StaticFiles or direct starlette.responses.FileResponse responses.

Recommendations Versions prior to 0.49.1 are affected.