CVE-2025-54121: Starlette has possible denial-of-service vector when parsing large files in multipart forms
When parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means we can’t accept new connections.
References
- github.com/advisories/GHSA-2c2j-9gv5-cj73
- github.com/encode/starlette
- github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py
- github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1
- github.com/encode/starlette/discussions/2927
- github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73
- nvd.nist.gov/vuln/detail/CVE-2025-54121
Code Behaviors & Features
Detect and mitigate CVE-2025-54121 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →