Suggestions search

All statuses

Filter by:

With package: python313Packages.starlette-admin

Found 2 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-48710

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 6 days, 2 hours ago Activity log

Created suggestion 6 days, 2 hours ago

Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.

References

https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr x_refsource_CONFIRM
https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6 x_refsource_MISC
https://badhost.org x_refsource_MISC
https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml x_refsource_MISC
https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette x_refsource_MISC
https://www.secwest.net/starlette x_refsource_MISC
https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette x_refsource_MISC

Affected products

starlette

==< 1.0.1

Matching in nixpkgs

pkgs.python312Packages.starlette

Little ASGI framework that shines

nixos-25.11 0.47.2
- nixos-25.11-small 0.47.2
- nixpkgs-25.11-darwin 0.47.2

pkgs.python313Packages.starlette

Little ASGI framework that shines

nixos-unstable 0.52.1
- nixpkgs-unstable 0.52.1
- nixos-unstable-small 0.52.1
nixos-25.11 0.47.2
- nixos-25.11-small 0.47.2
- nixpkgs-25.11-darwin 0.47.2

pkgs.python314Packages.starlette

Little ASGI framework that shines

nixos-unstable 0.52.1
- nixpkgs-unstable 0.52.1
- nixos-unstable-small 0.52.1

pkgs.python312Packages.sse-starlette

Server Sent Events for Starlette and FastAPI

nixos-25.11 3.0.3
- nixos-25.11-small 3.0.3
- nixpkgs-25.11-darwin 3.0.3

pkgs.python312Packages.starlette-wtf

Simple tool for integrating Starlette and WTForms

nixos-25.11 0.4.5
- nixos-25.11-small 0.4.5
- nixpkgs-25.11-darwin 0.4.5

pkgs.python313Packages.sse-starlette

Server Sent Events for Starlette and FastAPI

nixos-unstable 3.2.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0
nixos-25.11 3.0.3
- nixos-25.11-small 3.0.3
- nixpkgs-25.11-darwin 3.0.3

pkgs.python313Packages.starlette-wtf

Simple tool for integrating Starlette and WTForms

nixos-unstable 0.4.5
- nixpkgs-unstable 0.4.5
- nixos-unstable-small 0.4.5
nixos-25.11 0.4.5
- nixos-25.11-small 0.4.5
- nixpkgs-25.11-darwin 0.4.5

pkgs.python314Packages.sse-starlette

Server Sent Events for Starlette and FastAPI

nixos-unstable 3.2.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0

pkgs.python314Packages.starlette-wtf

Simple tool for integrating Starlette and WTForms

nixos-unstable 0.4.5
- nixpkgs-unstable 0.4.5
- nixos-unstable-small 0.4.5

pkgs.python312Packages.starlette-admin

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

nixos-25.11 0.15.1
- nixos-25.11-small 0.15.1
- nixpkgs-25.11-darwin 0.15.1

pkgs.python313Packages.starlette-admin

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0
nixos-25.11 0.15.1
- nixos-25.11-small 0.15.1
- nixpkgs-25.11-darwin 0.15.1

pkgs.python314Packages.starlette-admin

Fast, beautiful and extensible administrative interface framework for Starlette & FastApi applications

nixos-unstable 0.16.0
- nixpkgs-unstable 0.16.0
- nixos-unstable-small 0.16.0

pkgs.python312Packages.starlette-context

Middleware for Starlette that allows you to store and access the context data of a request

nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python313Packages.starlette-context

Middleware for Starlette that allows you to store and access the context data of a request

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python314Packages.starlette-context

Middleware for Starlette that allows you to store and access the context data of a request

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1

pkgs.python312Packages.starlette-compress

Compression middleware for Starlette - supporting ZStd, Brotli, and GZip

nixos-25.11 1.6.1
- nixos-25.11-small 1.6.1
- nixpkgs-25.11-darwin 1.6.1

pkgs.python313Packages.starlette-compress

Compression middleware for Starlette - supporting ZStd, Brotli, and GZip

nixos-unstable 1.6.1
- nixpkgs-unstable 1.6.1
- nixos-unstable-small 1.6.1
nixos-25.11 1.6.1
- nixos-25.11-small 1.6.1
- nixpkgs-25.11-darwin 1.6.1

pkgs.python314Packages.starlette-compress

Compression middleware for Starlette - supporting ZStd, Brotli, and GZip

nixos-unstable 1.6.1
- nixpkgs-unstable 1.6.1
- nixos-unstable-small 1.6.1

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@wd15 Daniel Wheeler <daniel.wheeler2@gmail.com>
@pbsds Peder Bergebakken Sundt <pbsds@hotmail.com>
@wrvsrx wrvsrx <wrvsrx@outlook.com>
@Zaczero Kamil Monicz <kamil@monicz.dev>
@n0emis Ember Keske <nixpkgs@n0emis.network>
@yuyuyureka Yureka <yuka@yuka.dev>
@johannwagner Johann Wagner <nix@wagner.digital>

Untriaged

Permalink CVE-2026-40561

created 4 weeks, 1 day ago Activity log

Created suggestion 4 weeks, 1 day ago

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.