CVE-2026-54283

Name of the Vulnerable Software and Affected Versions Starlette (affected versions not specified) FastAPI (affected versions not specified)

Description A Denial of Service (DoS) issue exists in the request.form() function when processing application/x-www-form-urlencoded requests. While limits for max fields and max part size are enforced for multipart/form-data, they are ignored for url-encoded bodies. This allows an unauthenticated attacker to cause resource exhaustion through two methods: sending a large number of fields (e.g., 1,000,000 fields), which blocks the worker's event loop and consumes CPU, or sending a single very large field, which forces unbounded memory allocation.

Recommendations Upgrade to a patched version of Starlette and FastAPI to ensure max fields and max part size are enforced for url-encoded parsers. As a temporary workaround, restrict the request body size via a reverse proxy to reduce the risk of memory exhaustion, although this may not fully prevent event-loop blocking.