Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: python313Packages.starlette

Found 3 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-48818
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 9 hours ago
  • @LeSuisse ignored
    10 packages
    • python313Packages.sse-starlette
    • python313Packages.starlette-wtf
    • python314Packages.sse-starlette
    • python314Packages.starlette-wtf
    • python313Packages.starlette-admin
    • python314Packages.starlette-admin
    • python313Packages.starlette-context
    • python314Packages.starlette-context
    • python313Packages.starlette-compress
    • python314Packages.starlette-compress
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse ignored maintainer @wd15 5 hours ago maintainer.ignore
  • @LeSuisse published on GitHub 5 hours ago
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.

Affected products

starlette
  • ==< 1.1.0

Matching in nixpkgs

Ignored packages (10)

Package maintainers

Ignored maintainers (1)
Published
Permalink CVE-2026-48817
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 9 hours ago
  • @LeSuisse ignored
    10 packages
    • python313Packages.sse-starlette
    • python313Packages.starlette-wtf
    • python314Packages.sse-starlette
    • python314Packages.starlette-wtf
    • python313Packages.starlette-admin
    • python314Packages.starlette-admin
    • python313Packages.starlette-context
    • python314Packages.starlette-context
    • python313Packages.starlette-compress
    • python314Packages.starlette-compress
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse ignored maintainer @wd15 5 hours ago maintainer.ignore
  • @LeSuisse published on GitHub 5 hours ago
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.

Affected products

starlette
  • ==< 1.1.0

Matching in nixpkgs

Ignored packages (10)

Package maintainers

Ignored maintainers (1)
Untriaged
Permalink CVE-2026-48710
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 3 weeks, 1 day ago Activity log
  • Created suggestion 3 weeks, 1 day ago
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.

Affected products

starlette
  • ==< 1.0.1

Matching in nixpkgs

Package maintainers