CVE-2025-62727 Overview
Starlette is a lightweight ASGI framework/toolkit widely used for building high-performance Python web applications. A denial-of-service vulnerability exists in Starlette versions 0.39.0 through 0.49.0 that allows an unauthenticated attacker to send a crafted HTTP Range header that triggers quadratic-time processing in the FileResponse Range parsing and merging logic. This enables CPU exhaustion per request, causing denial-of-service for endpoints serving files such as StaticFiles or any use of FileResponse.
Critical Impact
Unauthenticated attackers can exhaust server CPU resources through malicious HTTP Range headers, causing denial-of-service for file-serving endpoints without requiring authentication.
Affected Products
- Starlette versions >= 0.39.0 and < 0.49.1
- Applications using Starlette's FileResponse class
- Applications using Starlette's StaticFiles middleware
Discovery Timeline
- 2025-10-28 - CVE-2025-62727 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-62727
Vulnerability Analysis
This vulnerability is classified as CWE-407 (Inefficient Algorithmic Complexity), representing an algorithmic complexity attack that leads to CPU exhaustion. The flaw resides in how Starlette's FileResponse class processes HTTP Range headers when serving files.
When a client requests partial content from a file-serving endpoint using the Range header, Starlette parses and merges the specified byte ranges. The vulnerable implementation uses an algorithm with quadratic time complexity (O(n²)), meaning processing time increases exponentially with the number of ranges specified. An attacker can craft a Range header with numerous overlapping or complex range specifications that cause the server to spend excessive CPU cycles on parsing and merging operations.
This attack requires no authentication and can be launched remotely over the network. The impact is limited to availability—there is no data confidentiality or integrity breach—but the ability to exhaust CPU resources makes this a significant denial-of-service vector for any Starlette application serving static files.
Root Cause
The root cause lies in the inefficient algorithmic implementation of the Range header parsing and merging logic in Starlette's responses.py module. The original implementation used regular expression-based parsing that exhibited quadratic time complexity when processing headers containing many range specifications. The patch removes the inefficient regex-based approach in favor of a more efficient parsing mechanism.
Attack Vector
The attack is network-based and requires no authentication, privileges, or user interaction. An attacker simply sends HTTP requests with specially crafted Range headers to any endpoint that serves files using Starlette's FileResponse or StaticFiles. By including a large number of range specifications in a single header, the attacker forces the server to perform excessive computation, consuming CPU resources and potentially rendering the service unavailable for legitimate users.
# Patch removes inefficient regex-based Range parsing (from responses.py)
# Before: Used regex for parsing
import http.cookies
import json
import os
-import re
import stat
import sys
import warnings
Source: GitHub Commit
Detection Methods for CVE-2025-62727
Indicators of Compromise
- Unusually high CPU utilization on servers running Starlette applications
- HTTP requests containing Range headers with excessive number of byte range specifications
- Elevated response times for file-serving endpoints without corresponding increase in legitimate traffic
- Server logs showing repeated requests to static file endpoints from single sources
Detection Strategies
- Monitor for HTTP requests with abnormally long or complex Range headers targeting file-serving endpoints
- Implement rate limiting on static file endpoints to identify potential abuse patterns
- Configure web application firewalls (WAF) to detect and block Range headers exceeding normal complexity thresholds
- Analyze server performance metrics for CPU spikes correlated with requests to static file endpoints
Monitoring Recommendations
- Set up alerting for CPU utilization anomalies on Starlette application servers
- Log and analyze Range header contents for requests to FileResponse and StaticFiles endpoints
- Monitor request latency metrics for file-serving endpoints to detect degradation patterns
- Implement connection tracking to identify sources sending excessive requests with complex Range headers
How to Mitigate CVE-2025-62727
Immediate Actions Required
- Upgrade Starlette to version 0.49.1 or later immediately
- Audit applications to identify all uses of FileResponse and StaticFiles components
- Implement network-level rate limiting for static file endpoints as a temporary protection measure
- Review web server and reverse proxy configurations to add Range header complexity limits
Patch Information
The vulnerability has been fixed in Starlette version 0.49.1. The patch addresses the inefficient algorithmic complexity in the Range header parsing logic by removing the regex-based approach that caused quadratic-time processing.
Relevant resources:
Workarounds
- Deploy a reverse proxy (nginx, Apache, Caddy) in front of Starlette applications configured to reject or limit complex Range headers
- Implement middleware to validate and sanitize Range headers before they reach FileResponse processing
- Temporarily disable Range header support for static file endpoints if partial content delivery is not required
- Use CDN or separate static file serving infrastructure that is not affected by this vulnerability
# Example nginx configuration to limit Range header abuse
# Add to your server block configuration
location /static/ {
# Limit the size of Range header
if ($http_range ~* "bytes=.{500,}") {
return 416;
}
proxy_pass http://starlette_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
