Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.

Basic Information

ID CVE-2026-54283

Source GitHub_M

Published Jun 22, 2026 at 16:46

Affected Product

Vendor Kludex

Product starlette

Version >= 0.4.1, < 1.3.1

Affected Versions Kludex starlette >= 0.4.1, < 1.3.1

CWE Classification

CWE-770

References

github.com /Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq

{
    "lastseen": "",
    "description": "Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.",
    "published": "2026-06-22T16:46:16.706Z",
    "modified": "2026-06-22T16:46:16.706Z",
    "type": "cve",
    "title": "Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS",
    "source": "GitHub_M",
    "references": "https://github.com/Kludex/starlette/security/advisories/GHSA-82w8-qh3p-5jfq",
    "id": "CVE-2026-54283",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "Kludex starlette >= 0.4.1, < 1.3.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "starlette",
    "version": ">= 0.4.1, < 1.3.1",
    "vendor": "Kludex",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS_CVE-2026-54283